Anda di halaman 1dari 884

Cisco ASDM User Guide

Version 5.2

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Text Part Number: OL-10106-04

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R) Cisco ASDM User Guide 2008 Cisco Systems, Inc. All rights reserved.

CONTENTS
About This Guide
xxix xxix xxix

Related Documentation

Obtaining Documentation and Submitting a Service Request


1

CHAPTER

Welcome to ASDM Important Notes

1-1 1-1

New in This Release 1-2 Features Introduced in the 5.2(1) Release Features Introduced in the 5.2(2) Release Features Introduced in the 5.2(3) Release Features Introduced in the 5.2(4) Release Unsupported Commands 1-5 Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations 1-6 About the ASDM Window 1-6 Menus 1-7 File Menu 1-7 Options Menu 1-9 Tools Menu 1-11 Wizards Menu 1-22 Help Menu 1-22 Toolbar 1-22 Status Bar 1-23 Connection to Device 1-24 Buttons That Appear on Many Panels About the Help Window 1-24 Header Buttons 1-24 Notes 1-25 Home Page 1-25 Home 1-25 Home > Content Security Tab
1-5 1-6

1-2 1-2 1-3 1-4

1-24

1-27

Cisco ASDM User Guide OL-10106-04

iii

Contents

CHAPTER

Before You Start

2-1

Factory Default Configurations 2-1 Restoring the Factory Default Configuration ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration PIX 515/515E Default Configuration 2-4

2-2

2-3

Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Downloading the ASDM Launcher
2-6

2-4 2-5

Starting ASDM 2-6 Starting ASDM from the ASDM Launcher 2-6 Using ASDM in Demo Mode 2-7 Starting ASDM from a Web Browser 2-8 History Metrics
2-9 2-9

Configuration Overview
3

CHAPTER

Using the Startup Wizard

3-1

Startup Wizard 3-1 Starting Point 3-3 Basic Configuration 3-4 Outside Interface Configuration 3-5 Internet (Outside) VLAN Configuration 3-7 Outside Interface Configuration - PPPoE 3-8 Internet (Outside) VLAN Configuration - PPPoE Inside Interface Configuration 3-11 Business (Inside) VLAN Configuration 3-12 DMZ Interface Configuration 3-14 Home (DMZ) VLAN Configuration 3-15 Switch Port Allocation 3-17 General Interface Configuration 3-18 Static Routes 3-19 Add/Edit Static Routes 3-19 Route Monitoring Options 3-19 Auto Update Server 3-19 DHCP Server 3-20 Address Translation (NAT/PAT) 3-21 Administrative Access 3-23 Add/Edit Administrative Access Entry 3-23

3-9

Cisco ASDM User Guide

iv

OL-10106-04

Contents

Easy VPN Remote Configuration 3-25 Management IP Address Configuration Other Interfaces Configuration 3-28 Edit Interface 3-28 Startup Wizard Summary 3-29
4

3-27

CHAPTER

Configuring Interfaces

4-1 4-1

Security Level Overview

Configuring the Interfaces 4-2 Interfaces (System) 4-2 Add/Edit Interface 4-3 Hardware Properties 4-4 Interfaces (Single Mode and Context) 4-5 Add/Edit Interface > General 4-7 Add/Edit Interface > Advanced 4-9 PPPoE IP Address and Route Settings 4-10 Hardware Properties 4-11
5

CHAPTER

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 5-13 Interface Overview 5-13 Understanding ASA 5505 Ports and Interfaces 5-14 Maximum Active VLAN Interfaces for Your License 5-14 Default Interface Configuration 5-16 VLAN MAC Addresses 5-16 Power Over Ethernet 5-16 Monitoring Traffic Using SPAN 5-16 Security Level Overview 5-17 Configuring VLAN Interfaces 5-17 Interfaces > Interfaces 5-18 Add/Edit Interface > General 5-19 Add/Edit Interface > Advanced 5-22 Configuring Switch Ports 5-23 Interfaces > Switch Ports 5-24 Edit Switch Port 5-24

CHAPTER

Global Objects

6-1

Using Network Objects and Groups 6-1 Network Object Overview 6-1
Cisco ASDM User Guide OL-10106-04

Contents

Configuring a Network Object 6-2 Configuring a Network Object Group 6-3 Using Network Objects and Groups in a Rule 6-4 Viewing the Usage of a Network Object or Group 6-4 Configuring Service Groups 6-5 Service Groups 6-5 Add/Edit Service Group 6-6 Browse Service Groups 6-7 Configuring Class Maps 6-8 DNS Class Map 6-8 Add/Edit DNS Traffic Class Map 6-9 Add/Edit DNS Match Criterion 6-9 Manage Regular Expressions 6-11 Manage Regular Expression Class Maps FTP Class Map 6-12 Add/Edit FTP Traffic Class Map 6-13 Add/Edit FTP Match Criterion 6-13 H.323 Class Map 6-15 Add/Edit H.323 Traffic Class Map 6-15 Add/Edit H.323 Match Criterion 6-16 HTTP Class Map 6-17 Add/Edit HTTP Traffic Class Map 6-18 Add/Edit HTTP Match Criterion 6-18 IM Class Map 6-22 Add/Edit IM Traffic Class Map 6-23 Add/Edit IM Match Criterion 6-23 SIP Class Map 6-25 Add/Edit SIP Traffic Class Map 6-26 Add/Edit SIP Match Criterion 6-26

6-11

Configuring Inspect Maps 6-28 DCERPC Inspect Map 6-31 Customize Security Level 6-32 DCERPC Inspect Map Basic/Advanced Viewl DNS Inspect Map 6-33 Customize Security Level 6-35 DNS Inspect Map Basic View 6-36 DNS Inspect Map Advanced View 6-37 Add/Edit DNS Inspect 6-38 Manage Class Maps 6-40

6-33

Cisco ASDM User Guide

vi

OL-10106-04

Contents

ESMTP Inspect Map 6-41 Customize Security Level 6-42 MIME File Type Filtering 6-43 ESMTP Inspect Map Basic View 6-44 ESMTP Inspect Map Advanced View 6-44 Add/Edit ESMTP Inspect 6-45 FTP Inspect Map 6-49 Customize Security Level 6-50 File Type Filtering 6-51 FTP Inspect Map Basic View 6-51 FTP Inspect Map Advanced View 6-52 Add/Edit FTP Map 6-53 GTP Inspect Map 6-55 Customize Security Level 6-56 IMSI Prefix Filtering 6-57 GTP Inspect Map Basic View 6-57 GTP Inspect Map Advanced View 6-58 Add/Edit GTP Map 6-60 H.323 Inspect Map 6-61 Customize Security Level 6-62 Phone Number Filtering 6-63 H.323 Inspect Map Basic View 6-64 H.323 Inspect Map Advanced View 6-64 Add/Edit HSI Group 6-66 Add/Edit H.323 Map 6-66 HTTP Inspect Map 6-67 Customize Security Level 6-69 URI Filtering 6-69 HTTP Inspect Map Basic View 6-70 HTTP Inspect Map Advanced View 6-70 Add/Edit HTTP Map 6-71 Instant Messaging (IM) Inspect Map 6-75 Instant Messaging (IM) Inspect Map View 6-76 Add/Edit IM Map 6-77 IPSec Pass Through Inspect Map 6-79 Customize Security Level 6-80 IPSec Pass Through Inspect Map Basic View 6-80 IPSec Pass Through Inspect Map Advanced View 6-81 MGCP Inspect Map 6-82 Gateways and Call Agents 6-82
Cisco ASDM User Guide OL-10106-04

vii

Contents

MGCP Inspect Map View 6-83 Add/Edit MGCP Group 6-84 NetBIOS Inspect Map 6-85 NetBIOS Inspect Map View 6-86 RADIUS Inspect Map 6-86 RADIUS Inspect Map Host 6-87 RADIUS Inspect Map Other 6-87 SCCP (Skinny) Inspect Map 6-88 Customize Security Level 6-89 Message ID Filtering 6-90 SCCP (Skinny) Inspect Map Basic View 6-91 SCCP (Skinny) Inspect Map Advanced View 6-91 Add/Edit Message ID Filter 6-92 SIP Inspect Map 6-93 Customize Security Level 6-94 SIP Inspect Map Basic View 6-95 SIP Inspect Map Advanced View 6-96 Add/Edit SIP Inspect 6-97 SNMP Inspect Map 6-100 Add/Edit SNMP Map 6-100 Configuring Regular Expressions 6-101 Regular Expressions 6-101 Add/Edit Regular Expression 6-102 Build Regular Expression 6-104 Test Regular Expression 6-106 Add/Edit Regular Expression Class Map TCP Maps 6-107 Add/Edit TCP Map
6-108

6-106

Configuring Time Ranges 6-110 Add/Edit Time Range 6-110 Add/Edit Periodic Time Range
7

6-111

CHAPTER

Configuring Security Contexts

7-1

Security Context Overview 7-1 Common Uses for Security Contexts 7-2 Unsupported Features 7-2 Context Configuration Files 7-2 How the Security Appliance Classifies Packets Valid Classifier Criteria 7-3
Cisco ASDM User Guide

7-2

viii

OL-10106-04

Contents

Invalid Classifier Criteria 7-4 Classification Examples 7-4 Cascading Security Contexts 7-7 Management Access to Security Contexts System Administrator Access 7-8 Context Administrator Access 7-9

7-8

Enabling or Disabling Multiple Context Mode at the CLI Backing Up the Single Mode Configuration 7-9 Enabling Multiple Context Mode 7-9 Restoring Single Context Mode 7-10 Configuring Resource Classes 7-10 Classes and Class Members Overview Resource Limits 7-11 Default Class 7-12 Class Members 7-13 Adding a Resource Class 7-13 Resource Class 7-13 Add/Edit Resource Class 7-14 Configuring Security Contexts 7-16 Security Contexts 7-16 Add/Edit Context 7-17 Add/Edit Interface Allocation 7-18
8
7-10

7-9

CHAPTER

Configuring Device Properties Management IP


8-1

8-1

Device Administration 8-2 Banner 8-2 Boot Image/Configuration 8-3 Add Boot Image 8-4 Clock 8-4 Console 8-5 Device 8-5 FTP Mode 8-6 ICMP Rules 8-7 Add/Edit ICMP Rule 8-8 Management Access 8-9 NTP 8-10 Add/Edit NTP Server Configuration Password 8-11

8-11

Cisco ASDM User Guide OL-10106-04

ix

Contents

Secure Copy 8-12 SMTP 8-13 SNMP 8-13 Add/Edit SNMP Host Access Entry 8-16 SNMP Trap Configuration 8-18 TFTP Server 8-19 User Accounts 8-20 Add/Edit User Account > Identity Tab 8-22 Add/Edit User Account > VPN Policy Tab 8-22 Add/Edit User Account > WebVPN Tab 8-24 Auto Update 8-28 Set Polling Schedule 8-30 Add/Edit Auto Update Server 8-30 Advanced Auto Update Settings 8-31 Client Update 8-32 Add/Edit Client Update
8-33 8-33

CHAPTER

DHCP and DNS Services

9-1

DHCP Relay 9-1 Edit DHCP Relay Agent Settings 9-3 DHCP Relay - Add/Edit DHCP Server 9-3 DHCP Server 9-4 Edit DHCP Server 9-6 Advanced DHCP Options

9-7

DNS Client 9-9 Add/Edit DNS Server Group

9-9

Dynamic DNS 9-10 Add/Edit Dynamic DNS Update Methods 9-11 Add/Edit Dynamic DNS Interface Settings 9-12
10

CHAPTER

Configuring AAA Servers

10-1

Understanding AAA 10-1 AAA Overview 10-1 Preparing for AAA 10-2 LOCAL Database 10-3 AAA Implementation in ASDM 10-3 AAA for Device Administration 10-3

Cisco ASDM User Guide

OL-10106-04

Contents

AAA for Network Access 10-4 AAA for VPN Access 10-4 AAA Setup 10-4 AAA Server Groups 10-4 Add/Edit AAA Server Group 10-6 Edit AAA Local Server Group 10-7 Add/Edit AAA Server 10-7 Test AAA Server 10-11 Auth. Prompt 10-12 LDAP Attribute Map 10-13 Add/Edit LDAP Attribute Map 10-14
11

CHAPTER

Configuring Device Access

11-1

AAA Access 11-1 Authentication Tab 11-1 Authorization Tab 11-2 Command Privileges Setup 11-3 Predefined User Account Command Privilege Setup Accounting Tab 11-5 HTTPS/ASDM 11-6 Add/Edit HTTP Configuration Secure Shell 11-7 Add/Edit SSH Configuration Telnet 11-8 Add/Edit Telnet Configuration Virtual Access
12
11-11 11-6

11-4

11-8

11-9

CHAPTER

Failover

12-1

Understanding Failover 12-1 Active/Standby Failover 12-2 Active/Active Failover 12-2 Stateless (Regular) Failover 12-3 Stateful Failover 12-3 Configuring Failover with the High Availability and Scalability Wizard 12-4 Accessing and Using the High Availability and Scalability Wizard 12-4 Configuring Active/Active Failover with the High Availability and Scalability Wizard 12-4 Configuring Active/Standby Failover with the High Availability and Scalability Wizard 12-5 Configuring VPN Load Balancing with the High Availability and Scalability Wizard 12-6 Field Information for the High Availability and Scalability Wizard 12-7
Cisco ASDM User Guide OL-10106-04

xi

Contents

Choose the Type of Failover Configuration 12-7 Check Failover Peer Connectivity and Compatibility Change Device to Multiple Mode 12-8 Select Failover Communication Media 12-9 Security Context Configuration 12-9 Failover Link Configuration 12-10 State Link Configuration 12-11 Standby Address Configuration 12-11 VPN Cluster Load Balancing Configuration 12-12 Summary 12-14

12-8

Field Information for the Failover Panes 12-14 Failover - Single Mode 12-15 Failover: Setup 12-15 Failover: Interfaces (Routed Firewall Mode) 12-17 Failover: Interfaces (Transparent Firewall Mode) 12-19 Failover: Criteria 12-20 Failover: MAC Addresses 12-21 Add/Edit Interface MAC Address 12-22 Failover-Multiple Mode, Security Context 12-23 Failover - Routed 12-23 Failover - Transparent 12-24 Failover-Multiple Mode, System 12-26 Failover > Setup Tab 12-26 Failover > Criteria Tab 12-28 Failover > Active/Active Tab 12-29 Failover > MAC Addresses Tab 12-32
13

CHAPTER

Configuring Logging

13-1

About Logging 13-1 Security Contexts in Logging Using Logging


13-1

13-1

Logging Setup 13-2 Configure FTP Settings 13-3 Configure Logging Flash Usage Syslog Setup 13-4 Edit Syslog ID Settings 13-5 Advanced Syslog Configuration E-Mail Setup 13-6 Add/Edit E-Mail Recipients
Cisco ASDM User Guide

13-4

13-6

13-7

xii

OL-10106-04

Contents

Event Lists 13-8 Add/Edit Event List 13-9 Add/Edit Syslog Message ID Filter

13-11

Logging Filters 13-11 Edit Logging Filters 13-12 Add/Edit Class and Severity Filter 13-13 Add/Edit Syslog Message ID Filter 13-14 Rate Limit 13-15 Edit Rate Limit for Syslog Logging Level 13-16 Add/Edit Rate Limit for Syslog Message 13-17 Syslog Servers 13-18 Add/Edit Syslog Server
13-19 13-18

CHAPTER

14

Configuring Dynamic And Static Routing Dynamic Routing 14-1 OSPF 14-1 Setup 14-2 Filtering 14-8 Interface 14-10 Redistribution 14-14 Static Neighbor 14-16 Summary Address 14-17 Virtual Link 14-19 RIP 14-21 Global Setup 14-22 Interface 14-23 Filter Rules 14-24 Route Redistribution 14-26

14-1

Static Routes 14-28 Static Route Tracking 14-29 Configuring Static Route Tracking 14-29 Field Information for Static Routes 14-30 Static Routes 14-30 Add/Edit Static Route 14-31 Route Monitoring Options 14-32 ASR Group Proxy ARPs
14-32 14-33

Cisco ASDM User Guide OL-10106-04

xiii

Contents

CHAPTER

15

Configuring Multicast Routing Multicast


15-1

15-1

IGMP 15-2 Access Group 15-2 Add/Edit Access Group 15-3 Join Group 15-3 Add/Edit IGMP Join Group 15-4 Protocol 15-4 Configure IGMP Parameters 15-5 Static Group 15-6 Add/Edit IGMP Static Group 15-7 Multicast Route 15-7 Add/Edit Multicast Route
15-8

MBoundary 15-8 Edit Boundary Filter 15-9 Add/Edit/Insert Neighbor Filter Entry MForwarding PIM
15-11 15-10

15-10

Protocol 15-11 Edit PIM Protocol 15-12 Neighbor Filter 15-13 Add/Edit/Insert Neighbor Filter Entry 15-13 Bidirectional Neighbor Filter 15-14 Add/Edit/Insert Bidirectional Neighbor Filter Entry Rendezvous Points 15-16 Add/Edit Rendezvous Point 15-16 Request Filter 15-18 Request Filter Entry 15-19 Route Tree 15-19
16

15-15

CHAPTER

Firewall Mode Overview

16-1

Routed Mode Overview 16-1 IP Routing Support 16-2 Network Address Translation 16-2 How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server 16-4 An Outside User Visits a Web Server on the DMZ 16-5 An Inside User Visits a Web Server on the DMZ 16-6 An Outside User Attempts to Access an Inside Host 16-7
Cisco ASDM User Guide

16-3

xiv

OL-10106-04

Contents

A DMZ User Attempts to Access an Inside Host

16-8

Transparent Mode Overview 16-8 Transparent Firewall Features 16-9 Using the Transparent Firewall in Your Network 16-10 Transparent Firewall Guidelines 16-10 Unsupported Features in Transparent Mode 16-11 How Data Moves Through the Transparent Firewall 16-12 An Inside User Visits a Web Server 16-13 An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host 16-15
17

16-14

CHAPTER

Configuring Access Rules

17-1

Access Rules 17-1 Rule Queries 17-3 New/Edit Rule Query 17-4 Add/Edit Access Rule 17-5 Manage Service Groups 17-7 Add/Edit Service Group 17-8 Advanced Access Rule Configuration Log Options 17-9
18

17-8

CHAPTER

Configuring EtherType Rules

18-1 18-1

Ethertype Rules (Transparent Mode Only) Add/Edit EtherType Rule 18-2


19

CHAPTER

Configuring AAA Rules AAA Performance

19-1

19-1

Configuring AAA Rules 19-1 AAA Rules 19-2 Add/Edit Authentication Rule 19-4 Add/Edit Authorization Rule 19-7 Add/Edit Accounting Rule 19-10 Add/Edit MAC Exempt Rule 19-12 Configuring Advanced AAA Features 19-12 Adding an Interactive Authentication Rule

19-13

Configuring a RADIUS Server for Authorization 19-15 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-15 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-19

Cisco ASDM User Guide OL-10106-04

xv

Contents

CHAPTER

20

Configuring Filter Rules

20-1

URL Filtering 20-1 Add/Edit Parameters for Websense URL Filtering 20-3 Add/Edit Parameters for Secure Computing SmartFilter URL Filtering Advanced URL Filtering 20-4 Filter Rules 20-5 Select Source 20-7 Rule Query 20-7 Add/Edit Filter Rule 20-8 Browse Source/Destination Address
21

20-3

20-10

CHAPTER

Configuring Service Policy Rules

21-1

Service Policy Rules 21-1 Service Policy 21-3 Edit Service Policy 21-3 Traffic Classification Criteria 21-4 Default Inspections 21-5 Management Type Traffic Class and Action 21-5 Select RADIUS Accounting Map 21-6 Add RADIUS Accounting Policy Map 21-6 Using Default Inspection Traffic Criteria 21-7 Changing Default Ports for Application Inspection 21-8 Configuring Application Inspection with Multiple Ports 21-9 Source and Destination Address (This dialog is called ACL in other contexts) Destination Port 21-12 RTP Ports 21-13 IP Precedence 21-13 IP DiffServ CodePoints (DSCP) 21-14 Rule Actions > Protocol Inspection Tab 21-14 Select DCERPC Map 21-16 Configure DNS 21-17 Select DNS Map 21-17 Select ESMTP Map 21-18 Select FTP Map 21-18 Select GTP Map 21-19 Select H.323 Map 21-19 Select HTTP Map 21-20 Select IM Map 21-20 Select IPSec-Pass-Thru Map 21-20
Cisco ASDM User Guide

21-10

xvi

OL-10106-04

Contents

Select MGCP Map 21-21 Select NETBIOS Map 21-21 Select SCCP (Skinny) Map 21-22 Select SIP Map 21-22 Select SNMP Map 21-23 Rule Actions > Intrusion Prevention Tab 21-23 Rule Actions > CSC Scan Tab 21-24 Rule Actions > Connection Settings Tab 21-24 Rule Actions > QoS Tab 21-26 Edit Class Map 21-30 Edit Rule 21-31 Edit Service Policy Rule > Traffic Classification Tab Tunnel Group 21-33 SUNRPC Server 21-34 Add/Edit SUNRPC Service
22
21-34

21-32

CHAPTER

NAT

22-1 22-1

NAT

Add/Edit Static NAT Rule 22-4 Add/Edit Dynamic NAT Rule 22-5 NAT Options 22-6 Global Pools 22-7 Add/Edit Static Policy NAT Rule 22-8 Add/Edit Dynamic Policy NAT Rule 22-9 Add/Edit NAT Exempt Rule 22-11 Add/Edit Identity NAT Rule 22-12
23

CHAPTER

Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection 23-1 ARP Inspection 23-1 Edit ARP Inspection Entry 23-2 ARP Static Table 23-3 Add/Edit ARP Static Configuration

23-1

23-4

Customizing the MAC Address Table 23-4 MAC Address Table 23-4 Add/Edit MAC Address Entry 23-6 MAC Learning 23-6

Cisco ASDM User Guide OL-10106-04

xvii

Contents

CHAPTER

24

Preventing Network Attacks

24-1 24-1

Connection Settings (Transparent Mode Only) Set/Edit Connection Settings 24-2 IP Audit 24-3 IP Audit Policy 24-3 Add/Edit IP Audit Policy Configuration IP Audit Signatures 24-5 IP Audit Signature List 24-5 Fragment 24-9 Show Fragment 24-10 Edit Fragment 24-11 Anti-Spoofing
24-12

24-4

TCP Options 24-13 TCP Reset Settings Timeouts


25
24-15

24-14

CHAPTER

Configuring QoS

25-1

Priority Queue 25-1 Add/Edit Priority Queue 25-1 WCCP 25-2 WCCP Service Groups 25-2 Add or Edit WCCP Service Group 25-3 Redirection 25-3 Add or Edit WCCP Redirection 25-4 WCCP 25-4 WCCP Service Groups 25-4 Redirection 25-5
26

CHAPTER

VPN

26-1

VPN Wizard 26-1 VPN Tunnel Type 26-2 Remote Site Peer 26-3 IKE Policy 26-4 IPSec Encryption and Authentication 26-5 Local Hosts and Networks 26-6 Summary 26-7 Remote Access Client 26-8 VPN Client Authentication Method and Tunnel Group Name

26-9

Cisco ASDM User Guide

xviii

OL-10106-04

Contents

Client Authentication 26-10 New Authentication Server Group 26-10 User Accounts 26-11 Address Pool 26-12 Attributes Pushed to Client 26-12 Address Translation Exemption 26-13
26

CHAPTER

IKE

26-1

Certificate Group Matching 26-1 Policy 26-1 Rules 26-2 Add/Edit Certificate Matching Rule 26-3 Add/Edit Certificate Matching Rule Criterion Global Parameters
26-5

26-3

Policies 26-8 Add/Edit IKE Policy

26-9

IP Address Management 26-10 Assignment 26-10 IP Pools 26-11 Add/Edit IP Pool 26-11 IPSec 26-12 IPSec Rules 26-13 Tunnel Policy (Crypto Map) - Basic 26-14 Tunnel Policy (Crypto Map) - Advanced 26-16 Tunnel Policy (Crypto Map) -Traffic Selection 26-16 Pre-Fragmentation 26-18 Edit IPSec Pre-Fragmentation Policy 26-19 Transform Sets 26-20 Add/Edit Transform Set 26-20 Load Balancing NAC
27
26-24 26-21

CHAPTER

General

27-1

Client Update 27-1 Edit Client Update Entry Default Tunnel Gateway
27-4

27-3

Group Policy 27-4 Add/Edit External Group Policy

27-6

Cisco ASDM User Guide OL-10106-04

xix

Contents

Add AAA Server Group 27-6 Add/Edit Internal Group Policy > General Tab Browse Time Range 27-8 Add/Edit Time Range 27-9 Add/Edit Recurring Time Range

27-7

27-10

ACL Manager 27-11 Standard ACL Tab 27-11 Extended ACL Tab 27-12 Add/Edit/Paste ACE 27-13 Browse Source/Destination Address 27-14 Browse Source/Destination Port 27-15 Add TCP Service Group 27-16 Browse ICMP 27-16 Add ICMP Group 27-17 Browse Other 27-17 Add Protocol Group 27-18 Add/Edit Internal Group Policy > IPSec Tab 27-19 Add/Edit Client Access Rule 27-20 Add/Edit Internal Group Policy > Client Configuration Tab 27-20 Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab 27-21 View/Config Banner 27-22 Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab 27-23 Add/Edit Standard Access List Rule 27-24 Add/Edit Internal Group Policy > Client Firewall Tab 27-25 Add/Edit Internal Group Policy > Hardware Client Tab 27-27 Add/Edit Internal Group Policy > NAC Tab 27-30 Add/Edit Posture Validation Exception 27-31 WebVPN Tab > Functions Tab 27-31 Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab 27-34 Add/Edit Group Policy > WebVPN Tab > Homepage Tab 27-34 Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab 27-35 Add/Edit Port Forwarding List 27-35 Add/Edit Port Forwarding Entry 27-36 Add/Edit Group Policy > WebVPN Tab > Other Tab 27-36 Add/Edit Server and URL List 27-37 Add/Edit Server or URL 27-38 Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab 27-38
Cisco ASDM User Guide

27-22

xx

OL-10106-04

Contents

Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab ACLs 27-40

27-39

Tunnel Group 27-41 Add/Edit Tunnel Group > General Tab > Basic Tab 27-42 Add/Edit Tunnel Group > General Tab > Authentication Tab 27-44 Add/Edit Tunnel Group > General Tab > Authorization Tab 27-44 Add/Edit Tunnel Group > General Tab > Accounting Tab 27-46 Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab 27-46 Add/Edit Tunnel Group > General Tab > Advanced Tab 27-47 Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab 27-48 Add/Edit Tunnel Group > PPP Tab 27-49 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab 27-50 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab 27-51 Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab 27-53 Add/Edit Tunnel Group > WebVPN Tab > Basic Tab 27-54 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab 27-55 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server 27-56 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab 27-57 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab 27-58 VPN System Options Easy VPN Remote
27-59 27-60

Zone Labs Integrity Server


27-61

Advanced Easy VPN Properties


28

27-63

CHAPTER

WebVPN

28-1 28-1

WebVPN Security Precautions ACLs 28-2 Add ACL 28-3 Add/Edit ACE 28-3 APCF 28-4 Add/Edit APCF Profile Upload APCF package
28-4

28-5

Auto Signon 28-6 Add/Edit Auto Signon Entry CSD Setup 28-8 Upload Image Cache
28-10 28-9

28-7

Cisco ASDM User Guide OL-10106-04

xxi

Contents

Content Rewrite 28-11 Add/Edit Content Rewrite Rule Java Trustpoint


28-12

28-12

Encoding 28-13 Add\Edit Encoding

28-14

Port Forwarding 28-15 Add/Edit Port Forwarding List 28-17 Add/Edit Port Forwarding Entry 28-17 Proxies
28-18

Proxy Bypass 28-18 Add/Edit Proxy Bypass Rule

28-19

SSL VPN Client 28-20 Add SSL VPN Client Image 28-21 Add SSL VPN Client Browse Flash Dialog 28-21 Add SSL VPN Client Upload Flash Dialog 28-22 Replace SSL VPN Client Image 28-22 Replace SSL VPN Client Upload Flash Dialog 28-23 SSO Servers 28-23 Add/Edit SSO Server Servers and URLs WebVPN Access
28-26 28-26 28-25

Webpage Customization 28-28 Add/Edit Webpage Customization Object > Select Font 28-28 Add/Edit Webpage Customization Object > Select Foreground Color 28-29 Add/Edit Webpage Customization Object > Select Background Color 28-30 Add/Edit Webpage Customization Object > Page Title Tab 28-30 Add/Edit Webpage Customization Object > Page Title Tab > Upload Logo 28-31 Add/Edit Webpage Customization Object > Login Page Tab > Login Box Tab 28-32 Add/Edit Webpage Customization Object > Login Page Tab > Login Prompts Tab 28-33 Add/Edit Webpage Customization Object > Login Page Tab > Login Buttons Tab 28-34 Add/Edit Webpage Customization Object > Logout Page Tab 28-35 Add/Edit Webpage Customization Object > Home Page Tab > Border Color Tab 28-36 Add/Edit Webpage Customization Object > Home Page Tab > Web Applications Tab 28-37 Add/Edit Webpage Customization Object > Home Page Tab > Application Access Tab 28-38 Add/Edit Webpage Customization Object > Home Page Tab > Browse Network Tab 28-39 Add/Edit Webpage Customization Object > Home Page Tab > Web Bookmarks Tab 28-40 Add/Edit Webpage Customization Object > Home Page Tab > File Bookmarks Tab 28-41 Add/Edit Webpage Customization Object > Application Access Window Tab 28-42 Add/Edit Webpage Customization Object > Prompt Dialog Tab 28-43
Cisco ASDM User Guide

xxii

OL-10106-04

Contents

Add/Edit Webpage Customization Object > Quick Style Configuration


29

28-44

CHAPTER

WebVPN End User Set-up

29-1 29-1

Requiring Usernames and Passwords Communicating Security Tips


29-2

Configuring Remote Systems to Use WebVPN Features Capturing WebVPN Data 29-7 Creating a Capture File 29-8 Using a Browser to Display Capture Data
30

29-2

29-8

CHAPTER

E-Mail Proxy

30-1 30-1

Configuring E-Mail Proxy AAA 30-2 POP3S Tab 30-2 IMAP4S Tab 30-4 SMTPS Tab 30-5

Access 30-7 Edit E-Mail Proxy Access Authentication Default Servers Delimiters
31
30-10 30-8 30-9

30-7

CHAPTER

Configuring SSL Settings SSL


31-1

31-1

Edit SSL Trustpoint


32

31-3

CHAPTER

Configuring Certificates Authentication Enrollment


32-2 32-3 32-1

32-1

Import Certificate

Key Pair 32-3 Add Key Pair 32-4 Key Pair Details 32-5 Manage Certificate Add Certificate Trustpoint 32-7 Configuration
32-5 32-6

32-7

Cisco ASDM User Guide OL-10106-04

xxiii

Contents

Add/Edit Trustpoint Configuration > Enrollment Settings Tab 32-8 Add/Edit Key Pair 32-9 Certificate Parameters 32-9 Edit DN 32-10 Add/Edit Trustpoint Configuration > Revocation Check Tab 32-11 Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab 32-11 Add/Edit Static URL 32-12 Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab 32-12 Add/Edit Trustpoint Configuration > OCSP Rules Tab 32-13 Add/Edit Trustpoint OCSP Rule dialog box 32-14 Add/Edit Trustpoint Configuration > Advanced Tab 32-15 Export 32-16 Import 32-17 Authenticating, Enrolling for, and Managing Digital Certificates 32-17 Summary of Configuration Steps 32-18 Generating the Key Pair 32-18 Enrolling for a Certificate Using Automatic Enrollment (SCEP) 32-18 Authenticating to the CA 32-19 Enrolling with the CA 32-19 Enrolling for a Certificate Using Manual Enrollment 32-20 Additional Steps for a Failover Configuration 32-21 Exporting the Certificate to a File or PKCS12 data 32-21 Importing the Certificate onto the Standby Device 32-21 Managing Certificates 32-22
33

CHAPTER

CSD

33-1

CHAPTER

34

Configuring IPS

34-1 34-1 34-2

Accessing IDM from ASDM

Resetting the AIP SSM Password


35

CHAPTER

Configuring Trend Micro Content Security

35-1

Managing the CSC SSM 35-1 About the CSC SSM 35-1 Getting Started with the CSC SSM 35-3 Determining What Traffic to Scan 35-5 CSC Setup 35-7 Activation/License 35-8 IP Configuration 35-9
Cisco ASDM User Guide

xxiv

OL-10106-04

Contents

Host/Notification Settings 35-10 Management Access Host/Networks 35-11 Password 35-11 Restoring the Default Password 35-12 Wizard Setup 35-13 Summary 35-13 Web
35-15

Mail 35-16 Mail > SMTP Tab 35-16 Mail > POP3 Tab 35-17 File Transfer Updates
35-18 35-19 35-20

Connecting to CSC/Content Security and Control Password


36

CHAPTER

Monitoring System Log Messages About Log Viewing


36-1

36-1

Log Buffer 36-1 Log Buffer Viewer

36-2

Real-Time Log Viewer 36-3 Real-Time Log Viewer 36-3


37

CHAPTER

Monitoring Trend Micro Content Security Threats


37-1

37-1

Live Security Events 37-2 Live Security Events Viewer Software Updates
37-3

37-2

Resource Graphs 37-4 CSC CPU 37-4 CSC Memory 37-5


38

CHAPTER

Monitoring Failover

38-1

Single Context Mode 38-1 Failover 38-1 Status 38-1 Graphs 38-4 Multiple Context Mode 38-5 System 38-5 Failover Group 1 and Failover Group 2

38-8
Cisco ASDM User Guide

OL-10106-04

xxv

Contents

CHAPTER

39

Monitoring Interfaces ARP Table


39-1

39-1

DHCP 39-1 DHCP Server Table 39-2 DHCP Client Lease Information DHCP Statistics 39-3 MAC Address Table Dynamic ACLs
39-5 39-4

39-2

Interface Graphs 39-5 Graph/Table 39-8 PPPoE Client


39-8

interface connection 39-9 Track Status for 39-9 Monitoring Statistics for
40

39-9

CHAPTER

Monitoring Routing OSPF LSAs Type 1 Type 2 Type 3 Type 4 Type 5 Type 7 Routes
40-7 40-1 40-1 40-2 40-3 40-3 40-4 40-4

40-1

OSPF Neighbors

40-5

CHAPTER

41

Monitoring VPN

41-1

VPN Connection Graphs 41-1 IPSec Tunnels 41-1 Sessions 41-2 VPN Statistics 41-3 Sessions 41-3 Sessions Details 41-6 Sub-session Details NAC Details Encryption Statistics 41-9 NAC Session Summary 41-10 Protocol Statistics 41-11 Global IKE/IPSec Statistics 41-12
Cisco ASDM User Guide

41-8

xxvi

OL-10106-04

Contents

Crypto Statistics 41-12 Compression Statistics 41-13 Cluster Loads 41-13 WebVPN SSO Statistics 41-14 VPN Connection Status 41-15
42

CHAPTER

Monitoring Properties AAA Servers CRL


42-2 42-1

42-1

Connection Graphs 42-2 Xlates 42-2 Perfmon 42-3 DNS Cache


42-4

Device Access 42-5 AAA Local Locked Out Users 42-5 Authenticated Users 42-5 HTTPS/ASDM Sessions 42-6 Secure Shell Sessions 42-6 Telnet Sessions 42-7 IP Audit
42-8 42-10

System Resources Graphs Blocks 42-11 CPU 42-11 Memory 42-12


INDEX

Cisco ASDM User Guide OL-10106-04

xxvii

Contents

Cisco ASDM User Guide

xxviii

OL-10106-04

About This Guide


The ASDM User Guide contains the information that is available in the ASDM online help system. This preface contains the following topics:

Related Documentation, page xxix Obtaining Documentation and Submitting a Service Request, page xxix

Related Documentation
For more information, refer to the following documentation:

Release Notes for Cisco ASDM Cisco ASA 5500 Series Configuration Guide using the CLI Cisco ASA 5500 Series Command Reference Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco ASA 5500 Series System Log Messages

Obtaining Documentation and Submitting a Service Request


For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

Cisco ASDM User Guide OL-10106-04

xxix

About This Guide

Cisco ASDM User Guide

xxx

OL-10106-04

CH A P T E R

Welcome to ASDM
Welcome to ASDM, a browser-based, Java applet used to configure and monitor the software on security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device. For more information about this release, see the following topics:

Important Notes New in This Release Unsupported Commands About the ASDM Window About the Help Window Home Page

Important Notes

CLI Command SupportWith a few exceptions, almost all CLI commands are fully supported by ASDM. For a list of commands ASDM does not support, see Unsupported Commands. Multiple ASDM SessionsASDM allows multiple PCs or workstations to each have one browser session open with the same security appliance software. A single security appliance can support up to 5 concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a particular security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a limit of 32 connections total per security appliance. Security Appliance ReleaseThis release of ASDM requires Version 7.1 and does not run with earlier security appliance releases. CaveatsUse the Bug Toolkit on cisco.com to view current caveat information. You can access Bug Toolkit at: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Changing OS Color SchemesIf you change the color scheme of your operating system while ASDM is running, you should restart ASDM or some ASDM screens might not display correctly. If you enable TCP normalization, the default action for packets that exceed MSS has changed from drop to allow (the exceed-mss command).

Cisco ASDM User Guide OL-10106-04

1-1

Chapter 1 New in This Release

Welcome to ASDM

New in This Release


This section contains the following topics:

Features Introduced in the 5.2(1) Release, page 1-2 Features Introduced in the 5.2(2) Release, page 1-2 Features Introduced in the 5.2(3) Release, page 1-3 Features Introduced in the 5.2(4) Release, page 1-4

For a complete list of new platform and ASDM features, refer to the Cisco ASDM Release Notes on Cisco.com.

Features Introduced in the 5.2(1) Release


See the following topics for more information about the new features in the 5.2(1) release:

Enhanced and new inspection engines. See Service Policy Rules, page 21-1 and Global Objects, page 6-1. Sub-second failover and the High Availability and Scalability Wizard. See Failover, page 12-1. Packet Tracer tool. See Packet Tracer, page 1-13. Traceroute tool. See Traceroute, page 1-17. Expanded VPN Support:
ZoneLabs Integrity Server. See Zone Labs Integrity Server, page 27-60. Easy VPN Remote. See Easy VPN Remote, page 27-61. Online Certificate Status Protocol (OCSP) support. See Add/Edit Trustpoint Configuration >

Revocation Check Tab, page 32-11 and Add/Edit Trustpoint Configuration > OCSP Rules Tab, page 32-13.

RIP routing enhancements. See RIP, page 14-21. Static Route Tracking/Dual ISP support. See Static Routes, page 14-28. Web Cache Communication Protocol (WCCP) support. See WCCP, page 25-2. ASA 5505 adaptive security appliance Power over Ethernet port support. See Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance, page 5-13.

Features Introduced in the 5.2(2) Release


See the following topics for more information about the new features in the 5.2(2) release:

IDM Integration. See Accessing IDM from ASDM, page 34-1. AIP SSM Password Reset. See Resetting the AIP SSM Password, page 34-2. CSC SSM Password Reset. See Restoring the Default Password, page 35-12. Additional Multicast Feature Support:
PIM neighbor-filter. See Neighbor Filter, page 15-13. PIM bidir-neighbor-filter. See Bidirectional Neighbor Filter, page 15-14.

Cisco ASDM User Guide

1-2

OL-10106-04

Chapter 1

Welcome to ASDM New in This Release

PIM old-register-checksum. See the Generate IOS compatible register messages check box in

Rendezvous Points, page 15-16.


Multicast Boundary. See MBoundary, page 15-8. MFIB forwarding. See PIM bidir-neighbor-filter. See MForwarding, page 15-10.

Support for HTTP/HTTPS interactive authentication. See Configuring Advanced AAA Features, page 19-12. Added DNS (User Principle Name) to the Primary DN Field for tunnel groups. See. Add/Edit Tunnel Group > General Tab > Authorization Tab, page 27-44. Per-interface authorization server groups for tunnel groups. See Add/Edit Tunnel Group > General Tab > Authorization Tab, page 27-44. Support for Virtual Telnet Server. See Virtual Access, page 11-11.

Features Introduced in the 5.2(3) Release


See the following topics for more information about the new features in the 5.2(3) release:

Multiple ASDM Session SupportASDM allows multiple PCs or workstations to each have one browser session open with the same adaptive security appliance software. A single adaptive security appliance can support up to five concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a specified adaptive security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a maximum of 32 total connections for each adaptive security appliance. Added Enable DNS Guard checkbox to DNS Client panel for interfaces. See Configuration > Properties > DNS. Added redirect-fqdn command to support DNS-based load balancing. Added support in Client Software Location list to allow client updates from Linux or Mac systems. See Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Upload Software > Client Software. Added new checkbox Cache Static Content to allow users to cache the static content. See Configuration>VPN>WebVPN>Cache. Support for two new options, broadcast-flag and client-id interface interface in the dhcp-client command. See Configuration > Interfaces > Add or Edit Interfaces > Obtain Addresses via DHCP. ASDM now reporting Damage Cleanup Services events and statistics. ASDM banner includes Continue and Disconnect button at startup. To configure banner with these buttons, see Configuration > Properties > Device Administration > Banner. Added support for new ESMTP parameter allow-tls [action log] in the ESMTP policy map. When parameter is on, traffic on an ESMTP session will not be inspected after the exchange of client's STARTTLS command and server's 220 reply code. To implement this parameter, see Configuration Global Objects > Inspect Maps > ESMTP. After map is inspected or edited, select the entry and click Advanced View to access the ESMTP policy map parameter. Added the inspect waas command to support WAAS inspection. See Service Policy Rule > Protocol Inspection. Added new command, smartcard-removal-disconnect [enable | disable] in group policy configuration mode, to specify that tunnels stay connected when the SmartCard is removed. Currently, the default behavior is that tunnels are disconnected when a SmartCard is removed.

Cisco ASDM User Guide OL-10106-04

1-3

Chapter 1 New in This Release

Welcome to ASDM

Increased VLAN range for the ASA 5505--The ASA 5505 adaptive security appliance now supports VLAN IDs between 1 and 4090. Originally, only VLAN IDs between 1 and 1001 were supported.

Features Introduced in the 5.2(4) Release


See the following topics for more information about the new features in the 5.2(4) release:

Network Objects-- You can now add true network objects that you can use in firewall rules. Objects can be named, and when you edit an object, the change is inherited wherever the object is used. Also, when you create a rule, the networks that you specify in the rule are automatically added to the network object list so you can reuse them elsewhere. You can name and edit these automatic entries as well. See Configuration > Objects > Network Objects/Groups. QoS Traffic Shaping--If you have a device that transmits packets at a high speed, such as a security appliance with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the Configuration > Security Policy > Service Policy Rules pane, and then add or edit a rule to access the QoS tab. Note that the only traffic class supported for traffic shaping is class-default, which matches all traffic. See the crypto ipsec security-association replay command, which lets you configure the IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For IPSec packets, out-of-order packets that are not within the anti-replay window generate warning syslog messages. These warnings become false alarms in the case of priority queueing. This new command avoids possible false alarms.

Timeout for SIP provisional media--You can now configure the timeout for SIP provisional media on the Configuration > Properties > Timeouts pane. Rate and burst limit sizes for ICMP messages can now be adjusted from the Configuration > Properties > ICMP Rules pane. TCP normalization enhancements--You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets.
TCP invalid ACK check TCP packet sequence past window check TCP SYN-ACK with data check

You can also set the TCP out-of-order packet buffer timeout. Previously, the timeout was 4 seconds. You can now set the timeout to another value.The default action for packets that exceed MSS has changed from drop to allow. See the Configuration > Global Objects > TCP Maps pane. The following non-configurable actions have changed from drop to clear for these packet types:
Bad option length in TCP TCP Window scale on non-SYN Bad TCP window scale value Bad TCP SACK ALLOW option

Cisco ASDM User Guide

1-4

OL-10106-04

Chapter 1

Welcome to ASDM Unsupported Commands

Unsupported Commands
ASDM supports almost all commands available for the security appliance, but some commands in an existing configuration are ignored by ASDM. Most of these commands can remain in your configuration; see Show Commands Ignored by ASDM on Device for the ignored commands in your configuration. In the case of the alias command, ASDM enters into Monitor-only mode until you remove the command from your configuration. This section contains the following topics:

Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations

Ignored and View-Only Commands


The following table lists commands that ASDM supports in the configuration when added by the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If it is view-only, then the command appears in the GUI, but you cannot edit it. Unsupported Commands access-list capture established failover timeout ipv6, any IPv6 addresses pager pim accept-register route-map prefix-list route-map service-policy global ASDM Behavior Ignored if not used. Ignored Ignored. Ignored. Ignored. Ignored. Ignored. Only the list option can be configured using ASDM Ignored if not used in an OSPF area. Ignored. Ignored if it uses a match access-list class. For example:
access-list myacl line 1 extended permit ip any any class-map mycm match access-list mycl policy-map mypm class mycm inspect ftp service-policy mypm global

switchport trunk native vlan sysopt nodnsalias sysopt uauth allow-http-cache

Ignoredin Ethernet interface mode. Ignored. Ignored.

Cisco ASDM User Guide OL-10106-04

1-5

Chapter 1 About the ASDM Window

Welcome to ASDM

Unsupported Commands terminal virtual

ASDM Behavior Ignored. Ignored.

Effects of Unsupported Commands

If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available. If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, see Options > Show Commands Ignored by ASDM on Device. If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode. Monitor-only mode allows access to the following functions:
The Monitoring area The CLI tool (Tools > Command Line Interface), which lets you use the CLI commands.

To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco ASA 5500 Series Command Reference for more information.

Note

You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to 3 by your system administrator, which allows Monitor-only mode. For more information, see Configuration > Properties > Device Administration > User Accounts and Configuration > Device Access > AAA Access.

Other CLI Limitations


ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255

About the ASDM Window


The ASDM Window is designed to provide easy access to the many features that the security appliance supports. The ASDM Window includes the following:

MenusProvides quick access to files, tools, options and help. ToolbarLets you navigate ASDM. From the toolbar you can access the home page, configuration, and monitoring panels. You can also search for features, save the configuration, get help and navigate back and forth between panels. The Home, Configuration, and Monitoring buttons each

Cisco ASDM User Guide

1-6

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

open a panel with a variety of useful tools. The home page offers much information at a glance. Configuration and monitoring offer a useful category tree along the left side of the frame, for access to more detailed configuration or monitoring information.

Status BarShows the time, connection status, user, and privilege level.

Menus
ASDM includes the following menus:

File Menu Options Menu Tools Menu Wizards Menu Help Menu

File Menu
The File menu manages security appliance configurations, and includes the following items:

Refresh ASDM with the Running Configuration on the DeviceLoads a copy of the running configuration to ASDM. Use refresh to make sure ASDM has a current copy of the running configuration. Reset Device to the Factory Default ConfigurationRestores the configuration to the factory default. See Reset Device to the Factory Default Configuration dialog box for more information. Show Running Configuration in New WindowDisplays the current running configuration in a new window. Save Running Configuration to FlashWrites a copy of the running configuration to Flash memory. Save Running Configuration to TFTP ServerStores a copy of the current running configuration file on a TFTP server. See the Save Running Configuration to TFTP Server dialog box for more information. Save Running Configuration to Standby UnitSends a copy of the running configuration file on the primary unit to the running configuration of a failover standby unit. Save Internal Log Buffer to FlashSaves the log buffer to flash memory. PrintPrints the current panel. We recommend landscape page orientation when printing rules. If ASDM is running in Netscape Communicator and the user has not yet granted print privileges to the Java applet, a security dialog appears requesting Print privileges. Click Grant to grant the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet. Clear ASDM CacheClears the local ASDM images. ASDM downloads an image locally when you connect to ASDM. Clear Internal Log BufferClears the system log message buffer. ExitExits ASDM.

Cisco ASDM User Guide OL-10106-04

1-7

Chapter 1 About the ASDM Window

Welcome to ASDM

Reset Device to the Factory Default Configuration


The default configuration includes the minimum commands required to connect to the security appliance using ASDM. This feature is available only for routed firewall mode; transparent mode does not support IP addresses for interfaces, and setting the interface IP address is one of the actions this feature takes. This feature is also only available in single context mode; a security appliance with a cleared configuration does not have any defined contexts to automatically configure using this feature. This feature clears the current running configuration and then configures several commands. The configured interface depends on your platform. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. The following commands apply to the dedicated management interface, Management 0/0 (for a platform without a dedicated management interface, the interface is Ethernet 1):
interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

If you set the IP address in this dialog box, then the http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the File > Save Running Configuration to Flash item. This menu item saves the running configuration to the default location for the startup configuration, even if you previously configured the Boot Image/Configuration to set a different location; when the configuration was cleared, this path was also cleared.

Note

This command also clears the Add Boot Image configuration, if present, along with the rest of the configuration. The Add Boot Image pane lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot.
Fields

Use this address for the Interface_ID interface which will be named as nameManually sets the IP address of the management interface, instead of using the default address, 192.168.1.1. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. Management IP AddressSets the management interface IP address. Management subnet maskSets the subnet mask of the interface. If you do not set a mask, the security appliance uses the mask appropriate for the IP address class.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

1-8

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Save Running Configuration to TFTP Server


This dialog box stores a copy of the current running configuration file on a TFTP server.
Fields

TFTP Server IP AddressEnter the IP address of the TFTP server. Configuration File PathEnter path on the TFTP server where the file will be saved.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Enter Log File Name


Saves the log buffer to flash memory.
Fields

Use default file nameSaves the log buffer using LOG-YYYY-MM-DD-hhmmss.txt as the file name. Use user-specified file nameSaves the log buffer using a file name that you specify. Field NameEnter the file name for the saved log buffer.

Options Menu
The Options menu lets you set ASDM preferences.

Show Commands Ignored by ASDM on DeviceDisplays unsupported commands that have been ignored by ASDM. See the Show Commands Ignored by ASDM on Device dialog box for more information. PreferencesChanges the behavior of some ASDM functions between sessions using your web browser cookie feature. See the Preferences dialog box for more information.

Cisco ASDM User Guide OL-10106-04

1-9

Chapter 1 About the ASDM Window

Welcome to ASDM

Show Commands Ignored by ASDM on Device


Some commands are unsupported in ASDM. Typically, they are ignored when encountered by ASDM, and are displayed in the list of unparsed commands invoked by Show Commands Ignored by ASDM on Device. ASDM does not change or remove these commands from your configuration. See Unsupported Commands for more information.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Preferences
The Preferences dialog box lets you change the behavior of some ASDM functions between sessions by using your web browser cookie feature.
Fields

General tabSets general preferences.


Preview commands before sending to the device check boxLets you view CLI commands

generated by ASDM.
Enable Large Fonts (Requires ASDM Restart) check boxIncreases the ASDM icon font size,

after closing ASDM and reconnecting. Not all fonts are affected.
Confirm before exiting from ASDM check boxDisplays a prompt when you try to close

ASDM to confirm that you want to exit. This option is checked by default.

Rules Table tabSets preferences for the Rules Table.


Diplsay settingsLets you change the way rules are displayed in the Rules Table.

Auto expand network and service object groups with specified prefixDisplays the network and service object groups automatically expanded based on the Auto Expand-Prefix. Auto Expand-PrefixSpecifies the prefix of the network and service object groups to automatically expand when displayed. Show members of network and service object groupsSelect to display members of network and service object groups and the group name in the rules table. If the check box is not selected, only the group name is displayed. Limit members toEnter the number of network and service object groups to display. When the object group members are displayed, then display only the first nn members. Show all actions for service policy rulesSelect to display all action in the rules table. When cleared, a summary is displayed. deploying changes to the rules table.

Deployment SettingsLets you configure the behavior the security appliance has when

Cisco ASDM User Guide

1-10

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Issue clear xlate command when deploying access listsCheck to clear the NAT table when deploying a new access lists. This ensures the access lists that are configured on the security appliance are applied to all translated addresses. Show filter panel by defaultDisplays the filter panel by default. Show rule diagram panel by defaultDisplays the rule diagram by default.

Applications Inspections tabSets Application Inspection map options.


Prompt to add inspect map before applying changesEnables a prompt that reminds you the

inspection map has not yet been added.


Make advanced view the default inspect viewSelect to make the advanced view the default

application inspection view.


Ask to make advanced view the default viewEnables a dialog box that asks to make the advanced view the default application inspection view. Clear to disable the prompt.

Syslog Color Settings tabSets the background and text colors for system log messages displayed on the Home page.
Severity columnLists each severity level. Background Color columnShows the background color for messages for each severity level.

To change the color, click the appropriate row. The Pick a Color dialog box appears.
Foreground Color columnShows the foreground (text) color for messages for each severity

level. To change the color, click the appropriate row. The Pick a Color dialog box appears.
Restore Default buttonRestores the default settings of white background and colored text.

Note

Each time a preference is checked or unchecked, the change is written to the .conf file and becomes available for all the other ASDM sessions running on the workstation at the time. Restarting ASDM maintains your preferences.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Tools Menu
The Tools menu provides you with troubleshooting tools on ASDM. Here you can upload new software to the ASDM, check connectivity, or issue commands at the command line.

Command Line InterfaceProvides a text-based tool for sending commands to the security appliance and viewing the results. See the Command Line Interface dialog box for more information.

Cisco ASDM User Guide OL-10106-04

1-11

Chapter 1 About the ASDM Window

Welcome to ASDM

Packet TracerLets you trace a packet from a specified source address and interface to a destination. You can specify the protocol and port of any type of data and see the lifespan of a packet with detailed information about actions taken on it. See the Packet Tracer dialog box for more information. PingProvides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. See the Ping dialog box for more information. TracerouteLets you determine the route packets will take to their destination. See the Traceroute dialog box for more information. File ManagementLets you view, move, copy and delete files stored in Flash memory. You can also create a directory in Flash memory. See the File Management dialog box for more information. You can also bring up the File Transfer dialog box to transfer files between various file systems, including TFTP, Flash memory, and your local PC. Upload ASDM Assistant GuideLets you upload an XML file to Flash memory that contains information used in the ASDM Assistant. These files can be downloaded from Cisco.com. Upgrade SoftwareLets you choose a security appliance image, ASDM image, or other image file on your PC, and upload it to Flash memory. See the Upload Image from Local PC dialog box for more information. System ReloadLets you restart the system and reload the saved configuration into memory. See the System Reload dialog box for more information. IPS/CSC Password ResetResets the password of an installed AIP SSM or CSC SSM to the default (cisco). See the Resetting the AIP SSM Password section on page 34-2 and the Restoring the Default Password section on page 35-12 for more information. ASDM Java ConsoleShows the Java console.

Command Line Interface


The Command Line Interface dialog box provides a text-based tool for sending commands to the security appliance and viewing the results.

Note

Commands entered via the ASDM CLI tool might function differently from commands entered through a terminal connection to the security appliance.

Command Errors
If an error occurs because you entered an incorrect command, the offending command is skipped and the remaining commands are processed anyway. A message displays in the Response box to let you know what, if any, errors were encountered as well as other pertinent information.

Note

Refer to the Cisco ASA 5500 Series Command Reference for a list of commands. With a few exceptions, almost all CLI commands are fully supported by ASDM.

Interactive Commands
Interactive commands are not supported in the Command Line Interface dialog box. To use these commands in ASDM, use the noconfirm keyword if available, as follows:
crypto key generate rsa modulus 1024 noconfirm

Cisco ASDM User Guide

1-12

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Avoiding Conflicts with Other Administrators


Multiple administrative users can update the running configuration of the security appliance. Before using the ASDM Command Line Interface tool to make configuration changes, check for other active administrative sessions. If more than one user is configuring the security appliance at the same time, the last changes take effect. (Click the Monitoring tab to view other administrative sessions that are currently active on the same security appliance.)

Viewing Configuration Changes in ASDM


If you change the configuration using the Command Line Interface tool, click the Refresh button to view the changes in ASDM.
Prerequisites

The commands you can enter at the Command Line Interface tool depends on your user privileges. See the Authorization Tab. Review your privilege level in the status bar at the bottom of the main ASDM window to ensure you have privileges to execute privileged-level CLI commands.
Fields

CommandSends commands to the security appliance.


Single LineLets you enter single commands, one at a time. The most recent commands

entered are listed, or you can type a new command.


Multiple LineLets you enter multiple command lines. Enable context sensitive help (?)Shows CLI help for a command if you enter a question mark

(?) after it. You do not need to press enter; the help displays as soon as you type a ?. Clearing this check box causes ASDM to escape the question mark character before sending it to the device, allowing you to enter the question mark as part of a text string without causing the command line help to display.

ResponseDisplays the results of the commands you entered in the command box. SendSends all commands to the security appliance. Clear ResponseClears all text displayed in the Response box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Packet Tracer
The packet tracer tool provides packet tracing capabilities for packet sniffing and network fault isolation.

Cisco ASDM User Guide OL-10106-04

1-13

Chapter 1 About the ASDM Window

Welcome to ASDM

The tool provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet tracer tool will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, packet dropped due to bad ip header (reason). In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet tracer tool lets you do the following:

Debug all packet drops in production network. Verify the configuration is working as intended. Show all rules applicable to a packet along with the CLI lines which caused the rule addition. Show a time line of packet changes in a data path. Inject tracer packets into the data path.

Fields

InterfaceSpecifies the source interface for the packet trace. Packet typeSpecifies the protocol type for the packet trace. Available protocol types are icmp, rawip, tcp or udp.
Source IPSpecifies the source address for the packet trace. Source PortSpecifies the source port for the packet trace. Destination IP Specifies the destination address for the packet trace. Destination PortSpecifies the destination port for the packet trace.

Start Starts the packet trace. ClearClears all fields. Show animationCheck to display graphically the packet trace. Information Display AreaDisplays detailed messages about the packet trace.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Ping
The Ping dialog box provides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. A ping is the network equivalent of sonar for submarines. A ping is sent to an IP address and it returns an echo, or reply. This simple process enables network devices to discover, identify, and test each other.

Cisco ASDM User Guide

1-14

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

The Ping tool uses ICMP described in RFC-777 and RFC-792. ICMP defines an echo and echo reply transaction between two network devices, which has become known as a ping. The echo (request) packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Using the Ping Tool


Administrators can use the ASDM Ping tool as an interactive diagnostic aid in several ways, for example:

Loopback testing of two interfacesA ping may be initiated from one interface to another on the same security appliance, as an external loopback test to verify basic up status and operation of each interface. Pinging to an security appliance interfaceAn interface on another security appliance may be pinged by the Ping tool or another source to verify that it is up and responding. Pinging through an security appliancePing packets originating from the Ping tool may pass through an intermediate security appliance on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit. Pinging to test questionable operation of a network deviceA ping may be initiated from an security appliance interface to a network device that is suspected to be functioning improperly. If the interface is configured properly and an echo is not received, there may be problems with the device. Pinging to test intermediate communicationsA ping may be initiated from an security appliance interface to a network device which is known to be functioning properly and returning echo requests. If the echo is received, the proper operation of any intermediate devices and physical connectivity is confirmed.

Troubleshooting the Ping Tool


When pings fail to receive an echo, it may be the result of a configuration or operational error in a security appliance, and not always due to NO response from the IP address being pinged. Before using the Ping tool to ping from, to or through an security appliance interface, verify the following: Basic Interface Checks

Verify that interfaces are configured properly in Configuration > Properties > Interfaces. Verify that devices in the intermediate communications path, such as switches or routers, are properly delivering other types of network traffic. Make sure that traffic of other types from known good sources is being passed. Use Monitoring > Interface Graphs.

Pinging from an security appliance interface For basic testing of an interface, a ping may be initiated from an security appliance interface to a network device which, by other means, is known to be functioning properly and returning echoes via the intermediate communications path.

Verify receipt of the ping from the security appliance interface by the known good device. If it is not received, there may be a problem with the transmit hardware or configuration of the interface. If the security appliance interface is configured properly and it does not receive an echo from the known good device, there may be problems with the interface hardware receive function. If a different interface with known good receive capability can receive an echo after pinging the same known good device, the hardware receive problem of the first interface is confirmed.

Cisco ASDM User Guide OL-10106-04

1-15

Chapter 1 About the ASDM Window

Welcome to ASDM

Pinging to an security appliance interface When attempting to ping to an security appliance interface, verify that pinging response (ICMP echo reply), is enabled for that interface in the Configuration > Properties > Administration > ICMP panel. When pinging is disabled, the security appliance cannot be detected by other devices or software applications, and will not respond to the ASDM Ping tool. Pinging through the security appliance

First, verify that other types of network traffic from known good sources is being passed through through the security appliance. Use Monitoring > Interface Graphs, or an SNMP management station. To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Configuration > Access Rules.

Fields

IP AddressThe destination IP address for the ICMP echo request packets.

Note

If a host name has been assigned in the Configuration > Network Objects/Groups pane, you can use the host name in place of the IP address. Interface(Optional). The security appliance interface that transmits the echo request packets is specified. If it is not specified, the security appliance checks the routing table to find the destination address and uses the required interface. Ping OutputThe result of the ping. When you click Ping, three attempts are made to ping the IP address, and three results display the following fields:
Reply IP address/Device nameThe IP address of the device pinged or a device name, if

available. The name of the device, if assigned as a Network Object, may be displayed, even if NO response is the result.
Response time/timeout (ms)When the ping is transmitted, a millisecond timer starts with a

specified maximum, or timeout value. This is useful for testing the relative response times of different routes or activity levels, for example. Example Ping Output:
Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the ping fails, the output is as follows: Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)

PingSends an ICMP echo request packet from the specified or default interface to the specified IP address and starts the response timer. Clear ScreenClears the output on the screen from previous ping command attempts.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

1-16

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Traceroute
The Traceroute dialog box provides a useful tool to determine the route packets will take to their destination.
Traceroute Output

The traceroute tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following are the output symbols printed by the traceroute tool: Output Symbol * nn msec !N. !H !P !A ?
Fields

Description No response was received for the probe within the timeout period. For each node, the round-trip time (in milliseconds) for the specified number of probes. ICMP network unreachable. ICMP host unreachable. ICMP protocol unreachable. ICMP administratively prohibited. Unknown ICMP error.

Hostname or IP addressSpecifies the hostname of the host to which the route is traced. If the hostname is specified, define it with Configuration > Global Objects/Groups, or configure a DNS server to enable traceroute to resolve the hostname to an IP address. TimeoutSpecifies the amount of time in seconds to wait for a response before the connection times out. The default is three seconds. PortSpecifies the destination port used by the UDP probe messages. The default is 33434. ProbeSpecifies the number of probes to be sent at each TTL level. The default count is 3. Min & Max TTLSpecifies the minimum and maximum time to live values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The tool terminates when the traceroute packet reaches the destination or when the maximum value is reached. Destination PortSpecifies the destination port used by the UDP probe messages. The default is 33434. Specify Source Interface or IP AddressSpecifies the source interface or IP address for the packet trace. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the security appliance. Reverse ResolveWhen checked, the output displays the names of hops encountered if name resolution is configured . If left unchecked, the output displays IP addresses. Use ICMPSpecifies the use of ICMP probe packets instead of UDP probe packets.

Cisco ASDM User Guide OL-10106-04

1-17

Chapter 1 About the ASDM Window

Welcome to ASDM

Traceroute OutputDisplays detailed messages about the traceroute. TracerouteStarts the traceroute. ClearClears all fields.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Management
Lets you view, move, copy and delete files stored on Flash memory. You can also create a directory in Flash memory. In multiple context mode, this tool is only available in the system.
Fields

FoldersDisplays the folders available in disk.


Flash SpaceShows the size of Flash and how much is available.

TotalShows the total size of Flash memory. AvailableShows how much memory is available.

FilesDisplays information about the files in the selected folder.


PathShows the selected path Filename Size (bytes) Time Modified Status

ViewDisplays the selected file in your browser. CutCuts the selected file for pasting to another directory. CopyCopies the selected file for pasting to another directory. PastePastes the copied file to the selected destination. DeleteDeletes the selected file from Flash. RenameLets you rename the file. New DirectoryCreates a new directory for storing files. File TransferOpens the File Transfer dialog box.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

1-18

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload Image from Local PC


The Upload Image from Local PC dialog box lets you choose a security appliance image file, ASDM image, or other images on your PC, and upload it to Flash memory.
Fields

Image to uploadSelect which image type to upload. Local File PathEnter the path to the file on your PC.
Browse LocalSelect to browse to the file on your PC.

Flash File System PathEnter the path to copy the file in Flash memory.
Browse LocalSelect to browse to the directory or file in Flash memory.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Transfer
File Transfer lets you copy files to and from your security appliance using HTTPS, TFTP, FTP or by browsing for a local image.
Fields

Source FileSelect the source file to be transferred.


Remote ServerSelect to transfer a file from a remote server.

PathEnter the path to the location of the file, including the IP address of the server. Port/TypeEnter the port number or type (if FTP) of the remote server. Valid FTP types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode.
Flash File SystemSelect to copy the file from Flash memory.

PathEnter the path to the location of the file.

Cisco ASDM User Guide OL-10106-04

1-19

Chapter 1 About the ASDM Window

Welcome to ASDM

Browse FlashSelect to browse to the file location on your security appliance where the file will be copied from.
Local ComputerSelect to copy the file from the local PC.

PathEnter the path to the location of the file. Browse LocalhostBrowses the local PC for the file to be transferred.

Destination FileSelect the destination file to be transferred. Depending on the source destination, the Flash File System or the Remote Server will automatically be selected.
Flash File SystemTransfers the file to Flash memory.

PathEnter the path to the location of the file. Browse FlashSelect to browse to the file location on your security appliance where the file will be transferred.
Remote ServerTransfers a file to a remote server.

PathEnter the path to the location of the file. TypeFor FTP transfers, enter the type. Valid types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode.

Transfer FileStarts the file transfer.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload ASDM Assistant Guide


Upload ASDM Assistant Gude lets you upload an XML file to flash that contains useful ASDM procedural help about certain tasks. You can obtain these files from Cisco.com. Once loaded the files are available in the Search field in the File Menu.
Fields

File to uploadThe name of the XML file located on your computer, typically obtained from Cisco.com Flash File System PathThe path in the Flash memory where the XML file is loaded. Upload FileStarts the upload.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

1-20

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

System Reload
System Reload lets you restart the system and reload the saved configuration into memory. The System Reload dialog box lets you choose when the system should be reloaded, whether you should save the running configuration to Flash memory, and send a message to connected users at reload.
Fields

Reload SchedulingLets you configure when the reload will take place.
Configuration StateSelect whether to save the running configuration or not at reload.

Save the Running Configuration at Time of ReloadSelect to save the running configuration at reload. Reload Without Saving the Running ConfigurationSelect to discard configuration changes to the running configuration at reload.

Reload Start TimeLets you select the time of the reload.


NowSelect to perform an immediate reload. Delay byLets you delay the reload by a select amount of time. Enter the time to elapse before

the reload in hours and minutes or minutes.


Schedule atLets you schedule the reload to take place at a specific time and date. Enter the

time of day the reload is to take place, and select the date of the scheduled reload.

Reload MessageEnter a message to be sent to open instances of ASDM at reload. On Reload Failure Force Immediate Reload afterIf the reload fails, the amount of time elapsed in hours and minutes or minutes before a reload is attempted again. Schedule ReloadSchedules the reload as configured. Reload StatusDisplays the status of the reload. Cancel ReloadCancels the scheduled reload. RefreshRefreshes the Reload Status display. DetailsDisplays the details of the scheduled reload.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

1-21

Chapter 1 About the ASDM Window

Welcome to ASDM

Wizards Menu
The Wizards menu lets you run a wizard to configure multiple features.

Startup WizardThe ASDM Startup Wizard walks you, step by step, through the initial configuration of your security appliance. As you click through the configuration screens, you will be prompted to enter information about your security appliance. The Startup Wizard will apply these settings, so you should be able to start using your security appliance right away. VPN WizardThe VPN Wizard is a simple way to get a VPN policy configured on your security appliance. High Availability and Scalability WizardUse this wizard to get failover configured on your security appliance.

Help Menu
The Help menu provides links to online Help as well as information about ASDM and security appliance.

Help TopicsOpens a new browser window with help arranged by contents, screen name, and indexed in the left frame. Use these to find help for any topic, or search using the Search tab above. Help for Current ScreenOpens context sensitive help about the screen, panel or dialog box that is currently open. You can also click the question mark help icon for context sensitive help. Release NotesOpens the most current version of the Release Notes for Cisco ASDM on the web. The Release Notes contain the latest information about ASDM software and hardware requirements, and the latest information about changes in the software. Getting StartedBrings up the Getting Started help topic to help you get started using ASDM. GlossaryContains definitions of terms and acronyms. Feature MatrixOpens the most current version of the Release Notes for Cisco ASDM on the web, which includes the latest licensing information. Feature SearchLets you search for a function in ASDM. The Search feature looks through the titles of each panel and presents you with a list of matches, and gives you a hyperlink directly to that panel. If you need to switch quickly between two different panels you found in Search, use the Back and Forward buttons. You can also click the Search icon on the ASDM Toolbar. How do I?Opens the ASDM Assistant, which lets you search downloadable content with from Cisco.com, with details about performing certain tasks. LegendProvides a list of icons found in ASDM and explains what they represent. About Cisco PlatformDisplays an extensive list of information about the security appliance, including software versions, hardware sets, configuration file loaded at startup, and software image loaded at startup. This information is helpful in troubleshooting. About Cisco ASDM 5.2Displays information about ASDM such as the ASDM software version, hostname, privilege level, operating system, browser type, and Java version.

Toolbar
The Toolbar at the top of the ASDM window, below the menus, provides access to the home page, configuration pages, and monitoring pages. It also lets you choose between the system and security contexts in multiple context mode, and provides navigation, and other commonly-used functions.

Cisco ASDM User Guide

1-22

OL-10106-04

Chapter 1

Welcome to ASDM About the ASDM Window

System/ContextsClick the down arrow to open the context list in a left-hand pane, and the up arrow to restore the context drop-down list. When expanded, click the left arrow to collapse the pane all the way left, and the right arrow to restore the pane. To manage the system, select System from the list. To manage a context, select the context from the list. HomeDisplays the Home page, which lets you view at a glance important information about your security appliance such as the status of your interfaces, the version you are running, licensing information, and performance. See Home Page for more information. In multiple mode, the system does not have a Home page. ConfigurationConfigures the security appliance. Choose a feature button in the left-hand pane to configure that feature. MonitoringMonitors the security appliance. Choose a feature button in the left-hand pane to monitor that feature. BackTakes you back to the last panel of ASDM you visited. ForwardTakes you forward to the last panel of ASDM you visited. SearchLets you search for a function in ASDM. The Search feature looks through the titles of each panel and presents you with a list of matches, and gives you a hyperlink directly to that panel. If you need to switch quickly between two different panels you found in Search, use Back and Forward. RefreshRefreshes ASDM with the current running configuration by selecting. This button does not refresh the graphs in any of the monitoring graphs. SaveSaves the running configuration to the startup configuration. If you have a context that is not write accessible, for example on HTTP, then this button does not save the running configuration. HelpShows context-sensitive help for the screen that is currently open.

Status Bar
The status bar appears at the bottom of the ASDM window. The areas below appear from left to right on the status bar.

StatusShows the status of the configuration, such as Device configuration loaded successfully. User NameShows the username of the ASDM user. If you logged in without a username, the username is admin. User PrivilegeShows the privilege of the ASDM user. Commands Ignored by ASDMWhen you click the icon, ASDM shows a list of commands from your configuration that ASDM did not process. They will not be removed from the configuration. See Show Commands Ignored by ASDM on Device for more information. Status of Connection to DeviceShows the ASDM connection status to the security appliance. See Connection to Device for more information. Save to Flash NeededShows that you made configuration changes in ASDM, but that you have not yet saved the running configuration to the startup configuration. Refresh NeededShows that you need to refresh the configuration from the security appliance to ASDM because the configuration changed on the security appliance. For example, you made a change to the configuration at the CLI. SSL SecureShows that the connection to ASDM is secure because it uses SSL. TimeShows the time that is set on the switch that contains the security appliance.

Cisco ASDM User Guide OL-10106-04

1-23

Chapter 1 About the Help Window

Welcome to ASDM

Connection to Device
ASDM maintains a constant connection to the security appliance to maintain up-to-date monitoring and home page data. This dialog box shows the status of this connection. When you make a configuration change, ASDM opens a second connection for the duration of the configuration, and then closes it. That connection is not represented by this dialog box.

Buttons That Appear on Many Panels


These buttons appear on many ASDM panels:

ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed. CancelDiscards changes and returns to the previous panel. HelpDisplays help for the selected panel.

About the Help Window


This section contains the following topics:

Header Buttons Notes

Header Buttons
Use the header buttons to navigate through the help to find the topic you are looking for.

About ASDMDisplays information about ASDM. SearchLets you search the help topics. Using HelpDescribes the best way to get the most out of online help. GlossaryLists a glossary of terms found in ASDM and networking. ContentsDisplays a table of contents. ScreensLists help files by screen name. IndexProvides an index of help topics found in ASDM online help

Left-Pane TabsHelp navigate the online help.


Right-Pane Help ContentDisplays the help for the selected topic.

Cisco ASDM User Guide

1-24

OL-10106-04

Chapter 1

Welcome to ASDM Home Page

Notes
When help is invoked in applet mode and if there is any help page already open, the new help page will appear in the same browser window. If there is no help page already open, then the help page will appear in a new browser window. When help is invoked in application mode and if Netscape is the default browser, each time help is invoked the help page will appear in a new browser window. If IE is the default browser, based on the user setting, the help page may appear either in the last visited browser window or in a new browser window. This behavior of IE can be controlled by using the option Tools > Internet Options > Advanced > Reuse window for launching shortcuts.

Home Page
The ASDM home pane lets you view, at a glance, important information about your security appliance. If you have an SSM installed in your security appliance, an additional tab appears on the home page. The additional tab displays status information about the software on the SSM. For more information about configuring these areas, see the following:

Home Home > Content Security Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Home
The ASDM home pane lets you view, at a glance, important information about your security appliance, such as the status of your interfaces, the version you are running, licensing information, and performance. Many of the details available on the ASDM home page are available elsewhere in ASDM, but this is a useful and quick way to see how your security appliance is running. Status information on the Home pane is updated every ten seconds.
Fields

Device InformationIncludes two tabs to show device information.


GeneralShows the following information:

Host NameDisplay only. Shows the security appliance hostname. See Device to set the hostname.

Cisco ASDM User Guide OL-10106-04

1-25

Chapter 1 Home Page

Welcome to ASDM

Platform VersionDisplay only. Shows the security appliance software version. Device UptimeDisplay only. Shows how long the security appliance has been running. ASDM VersionDisplay only. Shows the ASDM version. Device TypeDisplay only. Shows the security appliance model. Firewall ModeDisplay only. Shows the firewall mode, either Routed or Transparent. See Firewall Mode Overview for more information. Context ModeDisplay only. Shows the context mode, either Single or Multiple. See Security Context Overview for more information. Total FlashDisplay only. Shows the total amount of Flash memory (the internal Flash memory plus the external Flash memory card, if available) in MB. Total MemoryDisplay only. Shows the total RAM.
LicenseDisplay only. Shows the level of support for licensed features on the security

appliance.

VPN StatusRouted, single mode only. Shows the following information:


IKE TunnelsDisplay only. Shows the number of connected IKE tunnels. IPSec TunnelsDisplay only. Shows the number of connected IPSec tunnels.

System Resources StatusShows the following CPU and memory usage statistics:
CPUDisplay only. Shows the current percentage of CPU being utilized. CPU Usage (percent)Display only. Shows the CPU usage for the last five minutes. MemoryDisplay only. Shows the current amount of memory being used in MB. Memory Usage (MB)Display only. Shows the memory usage for the last five minutes in MB.

Interface StatusShows the status of each interface. If you select an interface row, the input and output Kbps shows under the table.
InterfaceDisplay only. Shows the interface name. IP Address/MaskDisplay only. Routed mode only. Shows the IP address and subnet mask of

the interface.
LineDisplay only. Shows the administrative status of the interface. A red icon is displayed if

the line is down, and a green icon is displayed if the line is up.
LinkDisplay only. Shows the link status of the interface. A red icon is displayed if the link is

down, and a green icon is displayed if the link is up.


Current KbpsDisplay only. Shows the current number of kilobits per second that cross the

interface.

Traffic StatusShows graphs for connections per second for all interfaces and for the traffic throughput of the lowest security interface.
Connections per Second UsageDisplay only. Shows the UDP and TCP connections per

second over the last 5 minutes. This graph also shows the current number of connections by type, UDP, TCP, and Total.
Name Interface Traffic Usage (Kbps)Display only. Shows the traffic throughput for the lowest

security interface. If you have multiple interfaces at the same level, then ASDM shows the first interface alphabetically. This graph also shows the current throughput by type, Input Kbps and Output Kbps.

Cisco ASDM User Guide

1-26

OL-10106-04

Chapter 1

Welcome to ASDM Home Page

Latest ASDM Syslog MessagesShows the latest system messages generated by the security appliance.
Stop Message DisplayStops logging to ASDM. Resume Message DisplayResumes logging to ASDM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Home > Content Security Tab


The Content Security tab lets you view important information about the Content Security and Control (CSC) SSM. This panel appears only if a CSC SSM is installed in the security appliance. For an introduction to CSC SSM, see About the CSC SSM.

Note

If you have not completed the Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panels under Home > Content Security. Instead, a dialog box appears and lets you access the Setup Wizard directly from Home > Content Security.
Fields

Device InformationShows the following information: ModelShows the type of SSM installed in your security appliance. Mgmt IPShows the IP address of the management interface for the CSC SSM. VersionShows the CSC SSM software version. Last UpdateShows the date of the last software update obtained from Trend Micro. Daily Node #Shows the number of network devices for which the CSC SSM provided services in the preceding 24 hours. ASDM updates this field at midnight. Base LicenseShows license status for basic features of the CSC SSM, such as anti-virus, anti-spyware, and FTP file blocking features. The date that the license is due to expire appears. If the license has expired, the date of expiry appears. If no license is configured, the field shows Not Available. Plus LicenseShows license status for advanced features of the CSC SSM, such as anti-spam, anti-phishing, email content filtering, and URL blocking and filtering features. The date that the license is due to expire appears. If the license has expired, the date of expiry appears. If no license is configured, the field shows Not Available. Licensed NodesShows the maximum number of network devices for which your CSC SSM is licensed to provide services.

Cisco ASDM User Guide OL-10106-04

1-27

Chapter 1 Home Page

Welcome to ASDM

System Resources StatusShows the following CPU and memory usage statistics for the CSC SSM:
CPUShows the current percentage of CPU being utilized. CSC SSM CPU Usage (percent)Shows the CPU usage for the last five minutes. MemoryShows the current amount of memory being used in MB. CSC SSM Memory Usage (MB)Shows the memory usage for the last five minutes in MB.

Threat SummaryShows aggregate data about threats detected by the CSC SSM.
Threat TypeLists four threat types: Virus, Spyware, URL Filtered, and URL Blocked. TodayShows the number of threats detected for each threat type within the past 24 hours. Last 7 DaysShows the number of threats detected for each threat type within the past 7 days. Last 30 DaysShows the number of threats detected for each threat type within the past 30

days.

Email ScanShows graphs for emails scanned and email virus and spyware detected.
Email Scanned CountShows the number of emails scanned, as separate graphs by email

protocol (SMTP or POP3) and as a combined graph for both supported email protocols. The graphs display data in ten-second intervals.
Email Virus and SpywareShows the number of viruses and emails detected in email scans, as

separate graphs by threat type (virus or spyware). The graphs display data in ten-second intervals.

Latest CSC Security EventsShows, in real time, security event messages received from the CSC SSM.
TimeDisplays the time an event occurred. SourceDisplays the IP address or hostname from which the threat came. Threat/FilterDisplays the type of threat or, in the case of a URL filter event, the filter that

triggered the event.


Subject/File/URLDisplays the subject of emails containing a threat, the names of FTP file

containing a threat, or URLs blocked or filtered.


Receiver/HostDisplays the recipient of emails containing a threat or the IP address or

hostname of a node threatened.


SenderDisplays the sender of emails containing a threat. Content ActionDisplays the action taken upon the content of the message or file, such as

delivering the content unaltered, deleting attachments, or cleaning attachments before delivering them.
Msg ActionDisplays the action taken upon the message, such as delivering the message

unchanged, delivering the message after deleting attachments, or not delivering the message.
Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

1-28

OL-10106-04

Chapter 1

Welcome to ASDM Home Page

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

1-29

Chapter 1 Home Page

Welcome to ASDM

Cisco ASDM User Guide

1-30

OL-10106-04

CH A P T E R

Before You Start


This section contains the following topics:

Factory Default Configurations Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Downloading the ASDM Launcher Starting ASDM History Metrics Configuration Overview

Factory Default Configurations


The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances. For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately. The factory default configuration is available only for routed firewall mode and single context mode. See Configuring Security Contexts for more information about multiple context mode. See the Firewall Mode Overview for more information about routed and transparent firewall mode. This section includes the following topics:

Restoring the Factory Default Configuration, page 2-2 ASA 5505 Default Configuration, page 2-2 ASA 5510 and Higher Default Configuration, page 2-3 PIX 515/515E Default Configuration, page 2-4

Cisco ASDM User Guide OL-10106-04

2-1

Chapter 2 Factory Default Configurations

Before You Start

Restoring the Factory Default Configuration


To restore the factory default configuration, perform the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5

Choose File > Reset Device to the Factory Default Configuration. To change the default IP address to an IP address of your choosing, check Use this address for the <default interface> which will be named as <name> check box. Enter the new IP address in the Management IP Address field. Enter the new subnet mask in the Management Mask field. Click OK.

If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 198.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared. See the

Note

This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot. To configure additional settings that are useful for a full configuration, see the setup command.

ASA 5505 Default Configuration


The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside. The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254.

Cisco ASDM User Guide

2-2

OL-10106-04

Chapter 2

Before You Start Factory Default Configurations

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface Ethernet 0/0 switchport access vlan 2 no shutdown interface Ethernet 0/1 switchport access vlan 1 no shutdown interface Ethernet 0/2 switchport access vlan 1 no shutdown interface Ethernet 0/3 switchport access vlan 1 no shutdown interface Ethernet 0/4 switchport access vlan 1 no shutdown interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational

ASA 5510 and Higher Default Configuration


The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following:

The management Management 0/0 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface management 0/0

Cisco ASDM User Guide OL-10106-04

2-3

Chapter 2 Configuring the Security Appliance for ASDM Access

Before You Start

ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

PIX 515/515E Default Configuration


The default factory configuration for the PIX 515/515E security appliance configures the following:

The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface ethernet 1 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

Configuring the Security Appliance for ASDM Access


If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the Factory Default Configurations section on page 2-1.). On the ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, see the Cisco ASA 5500 Series Configuration Guide using the CLI to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command.

Cisco ASDM User Guide

2-4

OL-10106-04

Chapter 2

Before You Start Setting Transparent or Routed Firewall Mode at the CLI

Setting Transparent or Routed Firewall Mode at the CLI


You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For more information about the firewall mode, see Firewall Mode Overview. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. For multiple context mode, the system configuration is erased. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Be sure to recreate your context configurations for the correct mode before you re-add them, or add new contexts with new paths for the new configurations. If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration. To set the firewall mode, perform the following steps. In multiple context mode, perform these steps in the system execution space.
Step 1

In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory using one of the following commands. You can use this backup configuration for reference when creating your new configuration.

To copy to a TFTP server, enter the following command:


hostname# copy {startup-config | running-config} tftp://server[/path]/filename

To copy to a FTP server, enter the following command:


hostname# copy {startup-config | running-config} ftp://[user[:password]@]server[/path]/filename

To copy to local Flash memory, enter the following command:


hostname# copy {startup-config | running-config} {flash:/ | disk0:/ | disk1:/}[path/]filename

Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.
Step 2

To change the mode, enter one of the following commands:

To set the mode to transparent, enter the following command:


hostname(config)# firewall transparent

This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.

To set the mode to routed, enter the following command:


hostname(config)# no firewall transparent

Cisco ASDM User Guide OL-10106-04

2-5

Chapter 2 Downloading the ASDM Launcher

Before You Start

Downloading the ASDM Launcher


The ASDM Launcher is for Windows only. The ASDM Launcher is an improvement over running ASDM as a Java Applet. The ASDM Launcher avoids double authentication and certificate dialog boxes, launches faster, and caches previously-entered IP addresses and usernames. To download the ASDM launcher, perform the following steps:
Step 1

From a supported web browser on the security appliance network, enter the following URL:
https://interface_ip_address

In transparent firewall mode, enter the management IP address.

Note Step 2

Be sure to enter https, not http.

Click OK or Yes to all prompts, including the name and password prompt. By default, leave the name and password blank. A page displays with the following buttons:

Download ASDM Launcher and Start ASDM Run ASDM as a Java Applet

Step 3

Click Download ASDM Launcher and Start ASDM. The installer downloads to your PC. Run the installer to install the ASDM Launcher.

Step 4

Starting ASDM
This section describes how to start ASDM according to one of the following methods:

Starting ASDM from the ASDM Launcher, page 2-6 Using ASDM in Demo Mode, page 2-7 Starting ASDM from a Web Browser, page 2-8

Starting ASDM from the ASDM Launcher


The ASDM Launcher is for Windows only. To start ASDM from the ASDM Launcher, perform the following steps:
Step 1

Double-click the Cisco ASDM Launcher shortcut on your desktop, or start it from the Start menu.

Cisco ASDM User Guide

2-6

OL-10106-04

Chapter 2

Before You Start Starting ASDM

Step 2

Enter the security appliance IP address or hostname, your username, and your password, and then click OK. If there is a new version of ASDM on the security appliance, the ASDM Launcher automatically downloads it before starting ASDM.

Using ASDM in Demo Mode


ASDM Demo Mode is available as a separately installed application running under Windows. It makes use of the ASDM Launcher and pre-packaged configuration files to let you run ASDM without having a live device available. ASDM Demo Mode lets you:

Perform configuration and select monitoring tasks via ASDM as though you were interacting with a real device. Demonstrate ASDM or security appliance features using the ASDM interface. Perform configuration and monitoring tasks with the Content Security and Control SSM (CSC SSM).

ASDM Demo Mode provides simulated monitoring data, including real-time system log messages. The data shown is randomly generated, but the experience is identical to what you would see when connecting to a real device. ASDM Demo Mode has the following limitations:

Changes made to the configuration will appear in the GUI but are not applied to the configuration file. That is, when you click the Refresh button, it will revert back to the original configuration. The changes are never saved to the configuration file. File/Disk operations are not supported. Monitoring and logging data are simulated. Historical monitoring data is not available. You can only log in as an admin user; you cannot login as a monitor-only or read-only user. Demo Mode does not support the following features:
File menu:

Save Running Configuration to Flash Save Running Configuration to TFTP Server Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer
Tools menu:

Command Line Interface Ping File Management Update Image File Transfer Upload image from Local PC System Reload

Cisco ASDM User Guide OL-10106-04

2-7

Chapter 2 Starting ASDM

Before You Start

Toolbar/Status bar > Save Configuration > Interface > Edit Interface > Renew DHCP Lease FailoverConfiguring a standby device

These operations cause a reread of the configuration and therefore will revert it back to the original configuration.
Switching contexts Making changes in the Interface panel NAT panel changes Clock panel changes

To run ASDM in Demo Mode, perform the following steps:


Step 1

If you have not yet installed the Demo Mode application, perform the following steps:
a.

Download the ASDM Demo Mode installer from http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm. The filename is asdm-version-demo.msi. Double-click the installer to install the software.

b. Step 2 Step 3 Step 4 Step 5

Double-click the Cisco ASDM Launcher shortcut on your desktop, or start it from the Start menu. Click the Run in Demo Mode check box. To set the platform, context and firewall modes, and ASDM Version, click the Demo button and make your selections from the Demo Mode area. If you want to use new ASDM images as they come out, you can either download the latest installer, or you can download the normal ASDM images and install them for Demo Mode:
a.

Download the image from http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm. The filename is asdm-version.bin In the Demo Mode area, click Install ASDM Image . A file browser appears. Find the ASDM image file in the browser.

b.

Step 6

Click OK to launch ASDM Demo Mode. You see a Demo Mode label in the title bar of the window.

Starting ASDM from a Web Browser


To start ASDM from a web browser, perform the following steps:
Step 1

From a supported web browser on the security appliance network, enter the following URL:
https://interface_ip_address

In transparent firewall mode, enter the management IP address.

Note

Be sure to enter https, not http.

Cisco ASDM User Guide

2-8

OL-10106-04

Chapter 2

Before You Start History Metrics

Step 2

Click OK or Yes to all browser prompts, including the name and password prompt. By default, leave the name and password blank. A page displays with the following buttons:

Download ASDM Launcher and Start ASDM Run ASDM as a Java Applet

Step 3 Step 4

Click Run ASDM as a Java Applet. Click OK or Yes to all Java prompts, including the name and password prompt. By default, leave the name and password blank.

History Metrics
The History Metrics pane lets you configure the security appliance to keep a history of various statistics, which can be displayed by ASDM on any Graph/Table. If you do not enable history metrics, you can only monitor statistics in real time. Enabling history metrics lets you view statistics graphs from the last 10 minutes, 60 minutes, 12 hours, and 5 days.
Fields

ASDM History MetricsEnables history metrics. Unchecking this check box clears and disables the history metrics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuration Overview
To configure and monitor the security appliance, perform the following steps:
Step 1 Step 2 Step 3

Use the Startup Wizard for initial configuration by clicking Wizards > Startup Wizard. To configure VPN connections, use the VPN Wizard by clicking Wizards > VPN Wizard and completing each screen that appears. Configure advanced features by clicking the Configuration button on the toolbar and then clicking a feature button. Features include:

Configuring InterfacesConfigures basic interface parameters including the IP address, name, security level, and for transparent mode, the bridge group. Security PolicyIncludes access rules, AAA rules, filter rules, and service policy rules.

Cisco ASDM User Guide OL-10106-04

2-9

Chapter 2 Configuration Overview

Before You Start

Access RulesPermits or denies IP traffic through the security appliance. For transparent

firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Ethertype Rules (Transparent Mode Only)Permits or denies non-IP traffic through the

security appliance.
AAA RulesRequires authentication and/or authorization for certain types of traffic, for

example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server.
Filter RulesPrevents outbound access to specific websites or FTP servers. The security

appliance works with a separate server running either Websense Enterprise or Sentian by N2H2. See Configuration > Properties > URL Filtering to configure the URL filtering server, which must be configured before you add a rule.
Service Policy RulesApplies application inspection, connection limits, and TCP

normalization. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection. You can also limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP normalization drops packets that do not appear normal.

NATTranslates addresses used on a protected network to addresses used on the public Internet. This lets you use private addresses, which are not routable on the Internet, on your inside networks. VPNConfigures VPN connections.
VPN WizardRuns the VPN wizard. E-Mail ProxyConfigures e-mail proxies. E-mail proxies extend remote e-mail capability to

WebVPN users.
GeneralSets general VPN configuration parameters. IKEIKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to

build an IPSec security association.


IP Address ManagementSets the IP addresses of clients after they connect through the VPN

tunnel.
IPSecConfigures the IPSec protocol for VPN tunnels. Load BalancingConfigures load balancing for VPN connections. WebVPNConfigures WebVPN. WebVPN lets users establish a secure, remote-access VPN

tunnel to the security appliance using a web browser.


CSD ManagerConfigures the CSC SSM (available for the ASA 5500 series adaptive security appliance). Configuring IPSConfigures the AIP SSM (available for the ASA 5500 series adaptive security appliance). Configuring Dynamic And Static Routing(Single mode only) Configures OSPF, RIP, static, and asymmetric routing. Global ObjectsProvides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. These reusable components, or global objects, include the following:
Hosts/Networks Inspect Maps

Cisco ASDM User Guide

2-10

OL-10106-04

Chapter 2

Before You Start Configuration Overview

TCP Maps Time Ranges Step 4

Monitor the security appliance by clicking the Monitoring button on the toolbar and then clicking the feature button. Features include:

Monitoring InterfacesMonitors the ARP table, DHCP, dynamic access list, and interface statistics. Monitoring RoutingMonitors routes, OSPF LSAs, and OSPF neighbors. Monitoring PropertiesMonitors management sessions, AAA servers, failover, CRLs, the DNS cache, and system statistics. Monitoring System Log MessagesMonitors system log messages. Monitoring Failover(For the system in multiple mode) Monitors failover in the system.

Cisco ASDM User Guide OL-10106-04

2-11

Chapter 2 Configuration Overview

Before You Start

Cisco ASDM User Guide

2-12

OL-10106-04

CH A P T E R

Using the Startup Wizard


Startup Wizard
The ASDM Startup Wizard walks you through, step by step, the initial configuration of your security appliance. As you click through the configuration screens, you will be prompted to enter information about your security appliance. The Startup Wizard will apply these settings, so you should be able to start using your security appliance right away. The Startup Wizard defines the following in your configuration:

A hostname for your security appliance. A domain name for your security appliance. An enable password that is used to restrict administrative access to the security appliance through ASDM or the command-line interface. The IP address information of the outside interface on the security appliance. The other interfaces of your security appliance, such as the inside or DMZ interfaces, can be configured from the Startup Wizard. NAT or PAT rules for your security appliance. DHCP settings for the inside interface, such as for use with a DHCP server.

More information about each setting is available by clicking the Help button on the corresponding configuration screen. Before you begin using the Startup Wizard, make sure you have the following information available:

A unique hostname to identify the security appliance on your network. The IP addresses of your outside, inside, and other interfaces. The IP addresses to use for NAT or PAT configuration. The IP address range for the DHCP server. You can access the Startup Wizard from the Cisco ASDM 5.2 Start page by selecting the Run Startup Wizard as a Java Applet button. You can access the Startup Wizard at any time using the Wizards menu in ASDM. The Help button is an icon with a question mark. On subsequent Startup Wizard pages, you can click Finish to complete the wizard at any time. This sends changes made in the Startup Wizard to the security appliance.

Remember:

Cisco ASDM User Guide OL-10106-04

3-1

Chapter 3 Startup Wizard

Using the Startup Wizard

Important Notes

The security appliance can run in two modes:


RoutedIn routed mode, the security appliance acts as a router between connected networks.

Each interface requires an IP address on a different subnet. The security appliance performs NAT between connected networks. In single context mode, the routed firewall supports OSPF and RIP (in passive mode). Multiple context mode supports static routes only. Routed mode supports up to 256 interfaces per context or in single mode, with a maximum of 1000 interfaces divided between all contexts. Each interface is on a different subnet. You can share interfaces between contexts. In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an ACL. The transparent firewall, however, can allow any traffic through using either an extended ACL (for IP traffic) or an EtherType ACL.

Note

We recommend using the advanced routing capabilities of the upstream and downstream routers, such as the MSFC, instead of relying on the security appliance for extensive routing needs.

TransparentIn transparent mode, the security appliance is not seen as a router hop to

connected devices, but acts like a bump in the wire, or a stealth firewall. The security appliance connects the same network on its inside and outside ports, but uses different VLANs on the inside and outside. No dynamic routing protocols or NAT are required. Transparent mode only supports two interfaces, an inside interface and an outside interface. Transparent mode helps simplify the configuration and reduces its visibility to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams. Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended ACL. The only traffic allowed through the transparent firewall without an ACL is ARP traffic. ARP traffic can be controlled by ARP inspection.

Note

The transparent mode security appliance does not pass CDP packets.

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory).

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.

The security appliance can be used as an Easy VPN remote device. However, if the security appliance is configured to function as an Easy VPN remote device, it cannot establish other types of tunnels. For example, the security appliance cannot function simultaneously as both an Easy VPN remote device and as one end of a standard peer-to-peer VPN deployment.

Cisco ASDM User Guide

3-2

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

There are two modes of operation when using the security appliance as an Easy VPN remote device:
Client Mode Network Extension Mode

When configured in Easy VPN Client Mode, the security appliance does not expose the IP addresses of clients on its inside network. Instead, it uses NAT (Network Address Translation) to translate the IP addresses on the private network to a single, assigned IP address. When thesecurity appliance is configured in Client Mode, you cannot ping or access any device from outside the private network. When configured in Easy VPN Network Extension Mode, the security appliance does not protect the IP addresses of local hosts by substituting a assigned IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.
Fields

Launch Startup WizardLaunches the Startup Wizard.

Note

The Launch Startup Wizard button does not appear if you click Wizards >Startup Wizard on the toolbar. With the exception of this screen, all screens in the Startup Wizard display the following buttons:

BackReturns you to the previous screen (the button is dim in this screen). NextAdvances you to the next screen. FinishSubmits your configuration to the security appliance based upon choices made in this screen (the button is dim in this screen). CancelDiscards any changes without applying them. The Wizard prompts you with the Exit Wizard dialog box when Cancel is clicked. Clicking Exit closes the Wizard, and clicking Cancel again returns you to the Wizard screen. Remember at any time in the Wizard you can click Back to return to the previous screen.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Starting Point
Benefits

The Starting Point screen lets you continue with your existing configuration or reset the configuration to the factory default values. If you check the box Reset configuration to existing defaults, you revert back to the IP address and subnet mask of the default inside interface. If you continue with your existing configuration, you automatically retain your IP address and subnet mask.
Fields

The Starting Point screen displays the Next, Cancel, and Help buttons, in addition to the following:

Cisco ASDM User Guide OL-10106-04

3-3

Chapter 3 Startup Wizard

Using the Startup Wizard

Modify existing configurationClick to start the wizard with the existing configuration. Reset configuration to factory defaultsClick to start the wizard at the factory default values for the inside interface.
Configure the IP address of the management interfaceCheck this box to configure the IP

address and subnet mask of the management interface. IP AddressLets you enter the IP address of the management interface to configure. Subnet MaskLets you enter the subnet mask of the management interface to configure.

Note

If you reset the configuration to the factory defaults, you cannot undo the change by cancelling the wizard.

Note

The Back and Finish buttons are disabled on this screen.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

This feature is available in the main ASDM application screen: File > Reset Device to the Factory Default Configuration

Basic Configuration
Benefits

The Basic Configuration screen lets you configure the hostname of your security appliance and the enable password, as well as a domain name for the security appliance. The domain name should be less than 64 characters (maximum 63 characters) alphanumeric and mixed case. The enable password is used to administer ASDM or to administer the security appliance from the Command Line Interface. The password is case-sensitive and can be up to 16 alphanumeric characters. If you want to change the current password, check Change privileged mode (enabled) password, enter the old password, then enter the new password, and confirm the new password in the fields provided.

Note

If you leave the password field blank, a Password Confirmation screen displays and notifies you that this is a high security risk.

Cisco ASDM User Guide

3-4

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Fields

The Basic Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Host NameLets you enter a hostname for the security appliance. The hostname can be up to 63 alphanumeric characters and mixed case. Note: This field will list either ASA or PIX before Host Name, depending on the platform you are using. Domain NameSpecifies the IPSec domain name the of the security appliance. This can be used later for certificates. There is a 64-character limit on the domain name (maximum 63 characters), and it must be alphanumeric with no special characters or spaces. Privileged Mode (Enable) Password areaLets you restrict administrative access to the security appliance through ASDM or the Command Line Interface.
Change privileged mode (enable) PasswordCheck this box to change the current privileged

mode (enable) password.


Old PasswordLets you enter the old enable password, if one exists. New PasswordLets you enter the new enable password. The password is case-sensitive and

can be up to 16 alphanumeric characters.


Confirm New PasswordLets you reenter the new enable password.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Device Administration > Device Configuration > Properties > Device Administration > Password

Outside Interface Configuration


Benefits

The Outside Interface Configuration screen lets you configure your outside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.
Fields

The Outside Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Interface Properties area


InterfaceLets you add a new interface, or select an interface from the drop-down list.

Cisco ASDM User Guide OL-10106-04

3-5

Chapter 3 Startup Wizard

Using the Startup Wizard

Interface NameLets you add a name to a new interface, or displays the name associated with

an existing interface.
Enable interfaceCheck this box to activate the interface in privileged mode. Security LevelDisplays the security level range for the interface from 0 to 100, with 100

assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default.

IP Address area
Use PPPoEClick to obtain an IP address from a PPP over Ethernet (PPPoE) server for the

interface. The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
Use DHCPClick to obtain an IP address from a Dynamic Host Configuration Protocol server

so that IP addresses can be reused when hosts no longer need them.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressClick to manually specify an IP address for the interface:

IP AddressLets you enter an IP address for an outside interface. Subnet MaskLets you enter a subnet mask for an outside interface, or alternatively, choose a selection from the drop-down list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Cisco ASDM User Guide

3-6

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Internet (Outside) VLAN Configuration


Benefits

The Internet (Outside) VLAN Configuration screen lets you configure your Internet interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Internet (Outside) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Internet Interface area


Choose an interfaceClick to choose an interface to configure, then select an interface from

the drop-down list.


Create new VLAN interfaceClick to create a new VLAN interface, then enter the new VLAN

number. If the maximum number of interfaces has already been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN. See the Important Notes section for additional information.

Enable interfaceCheck this box to activate the interface in privileged mode. Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoEClick to obtain a dynamic IP address from a PPPoE server for an Internet

interface.
Use DHCPClick to obtain an IP address for the Internet interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Cisco ASDM User Guide OL-10106-04

3-7

Chapter 3 Startup Wizard

Using the Startup Wizard

Use the following IP addressClick to specify an IP address for an Internet interface rather

than obtaining one from a PPPoE server or DHCP server: IP AddressLets you enter an IP address for an Internet interface. Subnet MaskLets you enter a subnet mask for an Internet interface, or alternatively, choose a selection from the drop-down list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Outside Interface Configuration - PPPoE


Benefits

The Outside Interface Configuration - PPPoE screen lets you configure your interface by obtaining an IP address from a PPPoE server. The ASA device is the PPPoE on the specified interface. Before any network layer protocols can be routed, a connection must be opened and negotiated, in this case, using PPPoE authentication.
Fields

The Outside Interface Configuration - PPPoE screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Group NameLets you specify the name of the interfaces.

Note

You must specify a group name in order to proceed.

User Authentication area


PPPoE UsernameLets you specify the PPPoE username for authentication purposes. PPPoE PasswordLets you specify the PPPoE password for authentication purposes. Confirm PPPoE PasswordLets you confirm the PPPoE password.

Authentication Method area The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.

Cisco ASDM User Guide

3-8

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

PAPCheck this to select the Password Authentication Protocol as the authentication method.

PAP is the simplest authentication protocol. The username and password are sent unencrypted using this method.
CHAPCheck this to select the Challenge Handshake Authentication Protocol method.

CHAP does not prevent unauthorized access; it merely identifies the remote end. Then, the access server determines whether the user is allowed access.
MSCHAPCheck this to select the Microsoft Challenge Handshake Authentication Protocol

authentication for PPP connections between a computer using a Microsoft Screens operating system and an access server.

IP Address area
Obtain IP Address using PPPoEClick to obtain an IP address using a PPPoE server.

The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
Specify an IP addressClick to specify an IP address for an interface rather than obtaining

one from a PPPoE server: IP AddressLets you enter an IP address for an interface. Subnet MaskLets you enter a subnet mask for an interface, or alternatively, choose a selection from the drop-down list.
Obtain default route using PPPoEClick to obtain the default route between the PPPoE server

and the PPPoE client.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Internet (Outside) VLAN Configuration - PPPoE


Benefits

The Internet (Outside) VLAN Configuration - PPPoE screen lets you configure your interface by obtaining an IP address from a PPPoE server. The ASA device is the PPPoE on the specified interface. Before any network layer protocols can be routed, a connection must be opened and negotiated, in this case, using PPPoE authentication.

Cisco ASDM User Guide OL-10106-04

3-9

Chapter 3 Startup Wizard

Using the Startup Wizard

Fields

The Internet (Outside) VLAN Configuration - PPPoE screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Group NameLets you specify the name of the interfaces.

Note

You must specify a group name in order to proceed.

User Authentication area


PPPoE UsernameLets you specify the PPPoE username for authentication purposes. PPPoE PasswordLets you specify the PPPoE password for authentication purposes. Confirm PPPoE PasswordLets you confirm the PPPoE password.

Authentication Method area The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
PAPCheck this to select the Password Authentication Protocol as the authentication method.

PAP is the simplest authentication protocol. The username and password are sent unencrypted using this method.
CHAPCheck this to select the Challenge Handshake Authentication Protocol method.

CHAP does not prevent unauthorized access; it merely identifies the remote end. Then, the access server determines whether the user is allowed access.
MSCHAPCheck this to select the Microsoft Challenge Handshake Authentication Protocol

authentication for PPP connections between a computer using a Microsoft screens operating system and an access server.

IP Address area
Obtain IP Address using PPPoEClick to obtain an IP address using a PPPoE server.

The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
Specify an IP addressClick to specify an IP address for an interface rather than obtaining

one from a PPPoE server: IP AddressLets you enter an IP address for an interface. Subnet MaskLets you enter a subnet mask for an interface, or alternatively, choose a selection from the drop-down list.
Obtain default route using PPPoEClick to obtain the default route between the PPPoE server

and the PPPoE client.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

3-10

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Inside Interface Configuration


Benefits

The Inside Interface Configuration screen lets you configure an inside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.

Note

If VLAN is configured, the screen displays a message that in order to make additional changes, you should go to Configuration > Interfaces.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Inside Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Inside Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceClick to create a new inside interface Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoEClick to obtain an IP address from a PPPoE server for an inside interface. Use DHCPClick to obtain an IP address for the inside interface from a DHCP server.

Cisco ASDM User Guide OL-10106-04

3-11

Chapter 3 Startup Wizard

Using the Startup Wizard

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for an inside interface rather

than obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for an inside interface. Subnet MaskLets you specify a subnet mask for an inside interface; the list displays a selection of subnet mask IP addresses.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Business (Inside) VLAN Configuration


Benefits

The Business (Inside) VLAN Configuration screen lets you configure an inside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.

Note

If VLAN is configured, the screen displays a message that in order to make additional changes, you should go to Configuration > Interfaces.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces.

Cisco ASDM User Guide

3-12

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Business (Inside) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Inside Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceClick to create a new inside interface Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoEClick to obtain an IP address from a PPPoE server for an inside interface. Use DHCPClick to obtain an IP address for the inside interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for an inside interface rather

than obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for an inside interface. Subnet MaskLets you specify a subnet mask for an inside interface; the list includes a selection of subnet mask IP addresses.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

3-13

Chapter 3 Startup Wizard

Using the Startup Wizard

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

DMZ Interface Configuration


Benefits

The DMZ Interface Configuration screen lets you configure a work interface. The security appliance supports up to three fully functional named interfaces; in transparent mode, the security appliance supports up to two interfaces. Typically one interface connects to the outside Internet (known as an Internet zone), another connects to a home network (known as a home zone), and the third interface (known as a work interface), operates similarly to a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The DMZ Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Work Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceCheck this box to create a new work interface. Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoECheck this box to obtain an IP address from a PPPoE server for a work

interface.
Use DHCPCheck this box to obtain an IP address for a work interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Cisco ASDM User Guide

3-14

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for a work interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for a work interface. Subnet MaskLets you specify a subnet mask for a work interface; use the drop-down list to select a subnet mask IP address.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Home (DMZ) VLAN Configuration


Benefits

The Home (DMZ) VLAN Configuration screen lets you configure a work interface. The security appliance supports up to three fully functional named interfaces; in transparent mode, the security appliance supports up to two interfaces. Typically one interface connects to the outside Internet (known as an Internet zone), another connects to a home network (known as a home zone), and the third interface (known as a work interface), operates similarly to a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.

Cisco ASDM User Guide OL-10106-04

3-15

Chapter 3 Startup Wizard

Using the Startup Wizard

Fields

The Home (DMZ) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Work Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceCheck this box to create a new work interface. Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoECheck this box to obtain an IP address from a PPPoE server for a work

interface.
Use DHCPCheck this box to obtain an IP address for a work interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for a work interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for a work interface. Subnet MaskLets you specify a subnet mask for a work interface; use the drop-down list to display a selection of subnet mask IP addresses.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Cisco ASDM User Guide

3-16

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Switch Port Allocation


Benefits

The Switch Port Allocation screen lets you allocate switch ports to your outside, inside, and work interface. As VLANs are port-based, you must add the ports to their respective VLANs. By default, all switch ports begin in VLAN1.
Fields

The Switch Port Allocation screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following: Allocate Switch Ports to your Outside Interface (vlanid) area

Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports. Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports. Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports.

Allocate Switch Ports to your Inside Interface (vlanid) area


Allocate Switch Ports to your Work Interface (vlanid) area


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Transparent

Single

Context

System

1. Work interface is hidden in transparent mode.

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Cisco ASDM User Guide OL-10106-04

3-17

Chapter 3 Startup Wizard

Using the Startup Wizard

General Interface Configuration


Benefits

The General Interface Configuration screen lets you enable and restrict traffic between interfaces and between hosts connected to the same interface.
Important Notes

Restricted traffic is not an optional configuration. If you only have a restricted license, you must restrict from one interface to any of the other interfaces. Typically, this is the traffic from the work interface to the inside interface, but any pair can be chosen. The Restrict Traffic area fields are hidden if you have a full license or if the device is in transparent mode.
Fields

The General Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable traffic between two or more interfaces with the same security levelCheck this box to enable traffic between two or more interfaces with the same security level. Enable traffic between two or more hosts connected to the same interfaceCheck this box to enable traffic between two or more hosts connected to the same interface.

Restrict traffic area

Note

Restricted traffic is not an optional configuration. If you only have a restricted license, you must restrict from one interface to any of the other interfaces. These fields are hidden if you have a full license or if the device is in transparent mode.

From interfaceLets you restrict traffic from an interface by selecting an interface from the drop-down menu. To interfaceLets you restrict traffic to an interface by selecting an interface from the drop-down menu.

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Cisco ASDM User Guide

3-18

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Static Routes
Benefits

The Static Routes screen lets you create static routes that will access networks connected to a router on any interface. To enter a default route, set the IP address and mask to 0.0.0.0, or the shortened form of 0. If an IP address from one security appliance interface is used as the gateway IP address, the security appliance will ARP the designated IP address in the packet instead of ARPing the gateway IP address. Leave the Metric at the default of 1 unless you are sure of the number of hops to the gateway router.

Add/Edit Static Routes


Benefits

The Add/Edit Static Route dialog box lets you add or edit a static route.

Route Monitoring Options


Benefits

TheRoute Monitoring Options dialog box lets you set the parameters for monitoring the static route.

Auto Update Server


Benefits

The Auto Update Server screen allows you to remotely manage the ASA device. This includes automatically updating the ASA configuration, ASA image, and the ASDM image.
Fields

The Auto Update Server screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable Auto UpdateCheck this box to enable communication between the security appliance and an Auto Update Server. Server area
Server URLClick the drop-down list to select either the secure http (https) or http to designate

the beginning of the URL for the Auto Update server. In the next box, enter the remainder of the IP address for the Auto Update server.
Verify server SSL certificateCheck this box to confirm that a SSL certificate is enabled on the

Auto Update Server.

User area
UsernameEnter the username to log in to the Auto Update server. PasswordEnter the password to log in to the Auto Update server. Confirm PasswordEnter the password again to confirm it.

Cisco ASDM User Guide OL-10106-04

3-19

Chapter 3 Startup Wizard

Using the Startup Wizard

Device Identify area


Device ID TypeClick the drop-down list to select the type of ID to uniquely identify the

security appliance. Selecting User-defined name enables the Device ID field, where you can specify a unique ID.
Device IDEnter a unique string to use as security appliance ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

DHCP Server
Benefits

The DHCP Server screen lets you configure the security appliance as a Dynamic Host Control Protocol (DHCP) server to hosts on the inside interface. You can configure a range of IP addresses in an address pool, then when a host on the inside interface makes a request for an IP address using DHCP, the security appliance assigns it an address from this pool.
Important Notes

DNS, WINS and other information for interfaces with the lowest security level (inside interfaces) can be set in this screen. To configure the DHCP server for other interfaces, go to the Configuration> Properties > DHCP Services > DHCP Server in the main ASDM screen. The number of addresses allowed in the DHCP pool is 256. If you configure ASDM to use the DHCP server option, the security appliance uses the inside IP address, adds one address, and configures the address pool based on the number of addresses available according to your feature license and platform. The pool size varies, and might be configured for fewer IP addresses than you are licensed to use to simplify the configuration.

Fields

The DHCP Server screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable DHCP server on the inside interfaceCheck this box to turn on DHCP for the security appliance.
DHCP Address Pool area

Starting IP AddressEnter the starting range of the DHCP server pool in a block of IP addresses from the lowest to highest. The security appliance supports 256 IP addresses.

Cisco ASDM User Guide

3-20

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Ending IP AddressEnter the ending range of the DHCP server pool in a block of IP addresses from the lowest to highest. The security appliance supports 256 IP addresses.
DHCP Parameters area

Enable auto-configurationCheck this box to allow the wizard to configure the DNS server, WINS server, lease length, and ping timeout. DNS Server 1Enter the IP address of the DNS server to use DNS. WINS Server 1Enter the IP address of the WINS (screens Internet Naming Service) server to use DNS. DNS Server 2Enter the IP address of the alternate DNS server to use DNS. WINS Server 2Enter the IP address of the alternate WINS server to use DNS. Lease Length (secs)Enter the amount of time (in seconds) the client can use its allocated IP address before the lease expires. The default value is 3600 seconds (1 hour). Ping TimeoutEnter the parameters for the ping timeout value in milliseconds. Domain NameEnter the domain name of the DNS server to use DNS.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > DHCP Services > DHCP Server

Address Translation (NAT/PAT)


Note

This feature is not available in transparent mode.


Benefits

The Address Translation (NAT/PAT) screen lets you configure NAT and PAT on your security appliance. PAT lets you set up a single IP address for use as the global address. With PAT, you can set multiple outbound sessions to appear as if they originate from a single IP address. When enabled, the security appliance chooses a unique port number from the PAT IP address for each outbound translation slot. This feature is useful in smaller installations where there are not enough unique IP addresses for all outbound connections. An IP address that you specify for a port address cannot be used in another global address pool. PAT lets up to 65,535 hosts start connections through a single outside IP address.

Cisco ASDM User Guide OL-10106-04

3-21

Chapter 3 Startup Wizard

Using the Startup Wizard

If you decide to use NAT, enter an address range to use for translating addresses on the inside interface to addresses on the outside interface. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections.
Important Notes

If you use NAT, the range of IP addresses required on this screen creates a pool of addresses that is used outbound on the security appliance. If you have been assigned a range of Internet-registered, global IP addresses by your ISP, enter them here. The following are limitations when using the PAT address configuration:

Does not work with caching name servers. You may need to enable the corresponding inspection engine to pass multimedia application protocols through the security appliance. Does not work with the established command. When in use with a passive FTP, use the Inspect protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic. A DNS server on a higher level security interface, needing to get updates from a root name server on the outside interface, cannot use PAT.

Fields

The Address Translation (NAT/PAT) screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable traffic through the firewall without translationClick to allow traffic through the firewall without translation. NAT is a one-to-one address translation; PAT is a many (inside the firewall)-to-one translation. Use Network Address Translation (NAT)Select to enable NAT and a range of IP addresses to be used for translation.
Starting Global IP Address Enter the first IP address in a range of IP addresses to be used

for translation.
Ending Global IP AddressEnter the last IP address in a range of IP addresses to be used for

translation.
Subnet Mask (optional)Specify the subnet mask for the range of IP addresses to be used for

translation.

Use Port Address Translation (PAT)Select to enable PAT. You must choose one of the following if you select this option.

Note

IPSec with PAT may not work properly because the outside tunnel endpoint device cannot handle multiple tunnels from one IP address.

Use the IP address on the outside interface The security appliance uses the IP address of

the outside interface for PAT.


Specify an IP addressSpecify an IP address to be used for PAT.

IP AddressLets you enter an IP address for the outside interface for PAT. Subnet Mask (optional)Lets you enter a subnet mask for the outside interface for PAT, or click the down arrow to select a subnet mask.

Cisco ASDM User Guide

3-22

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > NAT

Administrative Access
Benefits

The Administrative Access screen lets you configure management access on the security appliance. ASDM automatically lists the interfaces available for configuration, and in this screen you can set the IP address, interface name, and security level to make each interface unique.

Note

This screen allows configuration of management access to interfaces already configured in other places. User cannot change such things as the IP address and the name of the interface in this screen.
Fields

The Administrative Access screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

TypeSpecifies whether the host or network is accessing security appliance via HTTPS/ASDM, SSH, or Telnet. InterfaceDisplays the host or network name. IP AddressDisplays the IP address of the host or network. MaskDisplays the subnet mask of the host or network. AddLets you choose access type, an interface, then specify the IP address and netmask of the host/network that will be allowed to connect to that interface for management purposes only. EditLets you edit an interface. DeleteLets you delete an interface.

Add/Edit Administrative Access Entry


Benefits

The Add/Edit Administrative Access Entry dialog box let you configure the hosts. You must use one the following types of preconfigured connections for the Command Line Interface console sessions:

Cisco ASDM User Guide OL-10106-04

3-23

Chapter 3 Startup Wizard

Using the Startup Wizard

Telnet protocolA network connection using the Telnet protocol. ASDM/HTTPS protocolA network connection using the HTTPS (HTTP over SSL) protocol for Tools > Command Line Interface.

Note

ASDM uses HTTPS for all communication with the security appliance. Secure Shell (SSH) protocolA network connection using the Secure Shell (SSH) protocol.

Before configuring your security appliance from the ASDM Command Line Interface tool, we recommend that you review the security appliance Technical Documentation. See also Password, Authentication. For more information about the Command Line Interface commands used by each ASDM screen, see Command Line Interface Commands Used by ASDM screens Help > About the security appliance that will display, among other useful things, which user last changed the configuration.
Fields

The Add/Edit Administrative Access Entry screen displays the OK, Cancel, and Help buttons, in addition to the following:

Access TypeSelect one of the following types of preconfigured connections for the Command Line Interface console sessions from the drop-down menu: ASDM/HTTP, SSH, or Telnet. Interface NameLets you select from a list of predetermined interfaces. IP AddressLets you specify an IP address for the interface. Subnet MaskLets you specify a subnet mask for the interface from a selection of subnet mask IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Device Access > HTTPS/ASDM Configuration > Properties > Device Access > Telnet Configuration > Properties > Device Access > SSH Configuration > Properties > History Metrics

Cisco ASDM User Guide

3-24

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Easy VPN Remote Configuration


Benefits

Companies with multiple sites can establish secure communications and resource sharing among them by deploying a Cisco Easy VPN solution that consists of an Easy VPN Server at its main site and Easy VPN remote devices at remote offices. Using an Easy VPN solution simplifies the deployment and management of a Virtual Private Network in the following ways:

Hosts at remote sites no longer have to run VPN client software. Security policies reside on a central server and are pushed to the remote devices when a VPN connection is established. Few configuration parameters need to be set locally.

When used as an Easy VPN remote device, the security appliance can also be configured to perform basic firewall services, such as protecting a web server on a DMZ from unauthorized access. However, if the security appliance is configured to function as an Easy VPN remote device, it cannot establish other types of tunnels. For example, the security appliance cannot function simultaneously as both an Easy VPN remote device and as one end of a standard peer-to-peer VPN deployment. The Easy VPN Remote Configuration screen lets you form a secure VPN tunnel between the security appliance and a remotely located Cisco VPN 3000 Concentrator, Cisco IOS-based router, or security appliance that is acting as an Easy VPN server. The security appliance itself acts as an Easy VPN remote device to enable deployment of VPNs to remote locations via the devices listed above. There are two modes of operation when using the security appliance as an Easy VPN remote device:

Client Mode Network Extension Mode

When configured in Easy VPN Client Mode, the security appliance does not expose the IP addresses of clients on its inside network. Instead, it uses NAT (Network Address Translation) to translate the IP addresses on the private network to a single, assigned IP address. When thesecurity appliance is configured in Client Mode, you cannot ping or access any device from outside the private network. When configured in Easy VPN Network Extension Mode, the security appliance does not protect the IP addresses of local hosts by substituting a assigned IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network. Use the following guidelines when deciding whether to configure the security appliance in Easy VPN Client or Network Extension Mode: Use Client Mode if:

You want VPN connections to be initiated by client traffic You want the IP addresses of local hosts to be hidden from remote networks You are using DHCP on the ASA 5505 to provide IP addresses to local hosts. You want VPN connections to remain open even when not required for transmitting traffic. You want remote hosts to be able to communicate directly with hosts on the local network. Hosts on the local network have static IP addresses.

Use Network Extension Mode if:


Important Notes

ASA supports a maximum of 11 Easy VPN Servers: one primary and up to 10 secondary.

Cisco ASDM User Guide OL-10106-04

3-25

Chapter 3 Startup Wizard

Using the Startup Wizard

In Easy VPN Client Mode, you use a DHCP server to generate dynamic IP addresses for hosts on the inside network. To use Easy VPN Client Mode, you must enable the DHCP server on the inside interface. Before you can connect the ASA Easy VPN remote device to the Easy VPN Server, you must establish network connectivity between both devices through your Internet service provider (ISP). After connecting your ASA to the DSL or cable modem, you should follow the instructions provided by your ISP to complete the network connection. Basically, there are three methods of obtaining an IP address when establishing connectivity to your ISP:
PPPoE client DHCP client Static IP address configuration

The Easy VPN Server controls the policy enforced on the ASA Easy VPN remote device. However, to establish the initial connection to the Easy VPN Server, you must complete some configuration locally. You can perform this configuration by following the steps in this Wizard or by using the command-line interface.
Fields

The Easy VPN Remote Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable Easy VPN remoteCheck this box to enable the ASA to act as an Easy VPN remote device. Enabling the ASA to act as an Easy VPN Remote allows you to choose the networks from which your ASA can be remotely managed. If you do not enable this feature, any host that has access to the ASA outside interface through a VPN tunnel can manage it remotely. Mode area
Client ModeClick if you are using a DHCP server to generate dynamic IP addresses for hosts

on your inside network. Client Mode enables VPN connections by traffic, allowing resources to be only used on demand. The ASA applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the ASA.

Note

To use Client Mode, you must enable the DHCP server on the inside interface.

Network extensionClick if hosts on your inside network have static IP addresses.

In Network Extension Mode, IP addresses of clients on the inside interface are received without change at the Easy VPN Server, and VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the ASA.

Group Settings area


Use X.509 CertificateClick to use X.509 certificates to allow IPSec Main Mode. Use the

drop-down list to select a trustpoint or to enter a trustpoint.


Use group passwordLets you enter a password for a group of users.

Group NameLets you enter a name for the user group. PasswordLets you enter a password for the user group.

Cisco ASDM User Guide

3-26

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Confirm passwordRequires that you confirm the password.

User Settings area


UsernameLets you enter a username for your settings. PasswordLets you enter a password for your settings. Confirm PasswordRequires that you confirm the password for your settings.

Easy VPN Server areaUsing the ASA as an Easy VPN Server lets you configure your VPN policy in a single location on the ASA, and then push this configuration to multiple Easy VPN remote devices.
Primary serverLets you enter the IP address of the primary Easy VPN Server. Secondary serverLets you enter the IP address of a secondary Easy VPN Server.

Note

ASA supports a maximum of 11 Easy VPN Servers (one primary and up to 10 secondary).

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Management IP Address Configuration


Note

This feature is available only in transparent mode.


Benefits

The Management IP Address Configuration screen lets you configure the management IP address of the host for this context.
Fields

The Management IP Address Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Management IP AddressThe IP address of the host that can access this context for management purposes using ASDM or a session protocol. Subnet MaskSubnet mask for the Management IP address.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

3-27

Chapter 3 Startup Wizard

Using the Startup Wizard

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Management IP

Other Interfaces Configuration


Benefits

The Other Interfaces Configuration screen lets you configure the remaining interfaces. You highlight a listed interface, select the Edit button, and configure it from the Edit screen.
Fields

The Other Interfaces Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

InterfaceDisplays the network interface on which the original host or network resides. NameDisplays the name of the interface being edited. Security LevelDisplays the security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. Enable traffic between two or more interfaces with same security levelsCheck this box if you assign the same security level to two or more interfaces, and want to enable traffic between the interfaces. Enable traffic between two or more hosts connected to the same interfaceCheck this box if you have an interface between two or more hosts and want to enable traffic between them. EditClick Edit to configure the interface in the Edit Interface dialog box.

Edit Interface
Benefits

Use the Edit Interfaces to edit exisiting interfaces.


Fields

The Edit Interface dialog box displays the OK, Cancel, and Help buttons, in addition to the following:

InterfaceDisplays the name of the selected interface to edit. Interface NameDisplays the name of the selected interface, and lets you change the name of the interface.

Cisco ASDM User Guide

3-28

OL-10106-04

Chapter 3

Using the Startup Wizard Startup Wizard

Security LevelDisplays the security level of the selected interface, or lets you select a security level for the interface. Either 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. If you change the security level of the interface to a lower level, a caution warning appears. IP Address area
Use PPPoECheck this box to use PPPoE to provide an authenticated method of assigning an

IP address to an outside interface. PPPoE provides a standard method of employing the authentication methods of the Point-to-Point Protocol (PPP) over an Ethernet network.

Note

Because PPPoE is permitted on multiple interfaces, each instance of the PPPoE client may require different authentication levels with different usernames and passwords.

Use DHCPCheck this box to use ASA as a DHCP server to provide network configuration

parameters, including dynamically assigned IP addresses, to DHCP clients.


Uses the following IP addressCheck this box to input a specific IP address for an interface.

IP AddressLets you edit the IP address of the interface. Subnet MaskLets you edit the subnet mask by entering a new address or selecting an existing IP address from the drop-down list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Startup Wizard Summary


Benefits

The Startup Wizard Summary screen lets you submit all of the settings you made to the security appliance.

If you would like to change any of the settings you made, click Back. If you started the Startup Wizard directly from a browser, when you click Finish, the configuration created by the wizard is sent to the security appliance and saved to Flash memory. If you ran the Startup Wizard from within ASDM, you must explicitly save the configuration to Flash memory just like any other configuration changes.

Cisco ASDM User Guide OL-10106-04

3-29

Chapter 3 Startup Wizard

Using the Startup Wizard

Fields

The Startup Wizard Summary screen displays the Back, Finish, Cancel and Help buttons.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

3-30

OL-10106-04

CH A P T E R

Configuring Interfaces
This chapter describes how to configure each interface and subinterface for a name, security level, and IP address. In multiple context mode, you can configure hardware properties and create subinterfaces in the system execution space, while you configure the IP address, name, and security level in each context.

Note

To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 5, Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance. This chapter includes the following sections:

Security Level Overview, page 4-1 Configuring the Interfaces, page 4-2

Security Level Overview


Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. The level controls the following behavior:

Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection enginesSome application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections. SQL*Net inspection engineIf a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction.

Cisco ASDM User Guide OL-10106-04

4-1

Chapter 4 Configuring the Interfaces

Configuring Interfaces

NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions.

Configuring the Interfaces


By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Note

If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 12, Failover. to configure the failover and state links. For multiple context mode, follow these guidelines:

Configure the context interfaces from within each context. You can only configure context interfaces that you already assigned to the context in the system configuration. The system configuration only lets you configure Ethernet settings and VLANs. The exception is for failover interfaces; do not configure failover interfaces with this procedure. See the Failover chapter for more information. Interfaces (System), page 4-2 Interfaces (Single Mode and Context), page 4-5

This section includes the following topics:


Interfaces (System)
The Interfaces pane displays configured interfaces and subinterfaces. Before you can assign an interface to a security context (see the Configuring Security Contexts section on page 7-16), define the interface in this pane. Although the system configuration does not include any networking parameters for these interfaces, the system controls the allocation of interfaces to security contexts.
Fields

InterfaceDisplays the interface ID. All physical interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

Cisco ASDM User Guide

4-2

OL-10106-04

Chapter 4

Configuring Interfaces Configuring the Interfaces

If you use failover, you need to assign a dedicated physical interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces). To ensure that you can use an interface for failover, do not configure an interface name in the Interfaces pane. Other settings, including the IP address, are ignored; you set all relevant parameters in the Failover: Setup tab. You can use a subinterface for failover as long as you do not set a name for the physical interface or the subinterface. After you assign an interface as the failover link or state link, you cannot edit or delete the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

EnabledIndicates if the interface is enabled, Yes or No. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

VLANShows the VLAN assigned to a subinterface. Physical interfaces show native, meaning that the physical interface is untagged. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds a subinterface. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. DeleteDeletes the selected subinterface. You cannot delete physical interfaces or allocated interfaces in a context. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface
The Add Interface dialog box lets you add a subinterface. The Edit Interface dialog box lets you edit an interface or subinterface. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

Cisco ASDM User Guide OL-10106-04

4-3

Chapter 4 Configuring the Interfaces

Configuring Interfaces

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Hardware PortWhen you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled. Configure Hardware PropertiesFor a physical interface, opens the Hardware Properties dialog box so you can set the speed and duplex. Enable InterfaceEnables this interface to pass traffic. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

VLAN IDFor a subinterface, sets the VLAN ID, between 1 and 4095. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. Sub-interface IDSets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it. DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Hardware Properties
The Hardware Properties dialog box lets you set the speed and duplex of physical interfaces.
Fields

Hardware PortDisplay only. Displays the interface ID. Media TypeSets the media type to RJ45 or SFP. The default is RJ45. DuplexLists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.

Cisco ASDM User Guide

4-4

OL-10106-04

Chapter 4

Configuring Interfaces Configuring the Interfaces

SpeedLists the speed options for the interface. The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, and you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interfaces (Single Mode and Context)


The Interfaces pane displays configured interfaces and subinterfaces. You can add or delete subinterfaces (single mode only), and also enable communication between interfaces on the same security level or enable traffic to enter and exit the same interface. Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, Management 0/0, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.
Benefits

This pane lets you enable communication between interfaces on the same security level. By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).

You want traffic to flow freely between all same security interfaces without access lists.

Fields

InterfaceDisplays the interface ID. All physical interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number. If you use failover, you need to assign a dedicated physical interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces). To ensure that you can use an interface for failover, do not configure an interface name in the Interfaces pane. Other settings, including the IP address, are ignored; you set all relevant parameters in the Failover: Setup tab. You can use a subinterface for failover as long as you do not set a name for the physical interface or the

Cisco ASDM User Guide OL-10106-04

4-5

Chapter 4 Configuring the Interfaces

Configuring Interfaces

subinterface. After you assign an interface as the failover link or state link, you cannot edit or delete the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. For multiple context mode, the physical interfaces are listed only in the system configuration. When you allocate interfaces to a context, each allocated interface is listed automatically in the context.

NameDisplays the interface name. EnabledIndicates if the interface is enabled, Yes or No. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. Security LevelDisplays the interface security level between 0 and 100. By default, the security level is 0. IP AddressDisplays the IP address, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. To set the IP address for the context or the security appliance, see the Management IP pane. Subnet MaskFor routed mode only. Displays the subnet mask. Management OnlyIndicates if the interface allows traffic to the security appliance or for management purposes only. MTUDisplays the MTU. By default, the MTU is 1500. Active MAC AddressShows the active MAC address, if you assigned one manually on the Add/Edit Interface > Advanced tab. Standby MAC AddressShows the standby MAC address (for failover), if you assigned one manually. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds a subinterface. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. DeleteDeletes the selected subinterface. You cannot delete physical interfaces or allocated interfaces in a context. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane. Enable traffic between two or more interfaces which are configured with same security levelsEnables communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Enable traffic between two or more hosts connected to the same interfaceEnables traffic to enter and exit the same interface.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

4-6

OL-10106-04

Chapter 4

Configuring Interfaces Configuring the Interfaces

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Interfaces pane, see the system Interfaces (System) pane.

Add/Edit Interface > General


The Add Interface > General tab lets you add a subinterface. The Edit Interface > General tab lets you edit an interface or subinterface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts section on page 7-16 to assign interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Hardware PortWhen you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled. Configure Hardware PropertiesFor a physical interface, opens the Hardware Properties dialog box so that you can set the speed and duplex, and for some interfaces, the media type. For multiple context mode, you can only set physical properties in the system configuration. Enable InterfaceEnables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. Dedicate this interface to management onlySets the interface to accept traffic to the security appliance only, and not through traffic. VLAN IDFor a subinterface, sets the VLAN ID, between 1 and 4095. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. Sub-interface IDSets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it. Interface NameSets an interface name up to 48 characters in length. Security LevelSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

Cisco ASDM User Guide OL-10106-04

4-7

Chapter 4 Configuring the Interfaces

Configuring Interfaces

IP AddressFor routed mode only. For multiple context mode, set the IP address in the context configuration.
Use Static IPManually sets the IP address.

IP addressSets the IP address. Subnet MaskSets the subnet mask.


Obtain Address via DHCPDynamically sets the IP address using DHCP.

For the client identifier in DHCP option 61To force a MAC address to be stored inside a DHCP request packet for option 61 instead of the default internally-generated string, click Use MAC address. Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. To use the default string, click Use Cisco-<MAC>-<interface_name>-<host>. Obtain Default Route Using DHCPObtains a default route from the DHCP server so that you do not need to configure a default static route. Renew DHCP LeaseRenews the DHCP lease. Retry CountSets the number of times between 4 and 16 that the security appliance resends a DHCP request if it does not receive a reply after the first attempt. The total number of attempts is the retry count plus the first attempt. For example, if you set the retry count to 4, the security appliance sends up to 5 DHCP requests. DHCP Learned Route MetricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1. Enable trackingCheck this checkbox to enable route tracking for DHCP-learned routes.

Note

Route tracking is only available in single, routed mode.

Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface. SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647. Monitoring OptionsClick this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process. Enable DHCP Broadcast flag for DHCP request and discover messagesAllows the security appliance to set the broadcast flag in the DHCP client packet. This option sets the broadcast flag to 1 in the DHCP packet header when the DHCP client sends a discover requesting an IP address. The DHCP server listens to this broadcast flag and broadcasts the reply packet if the flag is set to 1. Without this option, the broadcast flag is set to 0, and the DHCP server unicasts the reply packets to the client with the offered IP address. The DHCP client can receive both broadcast and unicast offers from the DHCP server.
Use PPPoEDynamically sets the IP address using PPPoE.

Cisco ASDM User Guide

4-8

OL-10106-04

Chapter 4

Configuring Interfaces Configuring the Interfaces

Note

PPPoE is not supported with failover, or in Multiple context mode and Transparent mode. PPPoE is only supported in Single-Routed mode without failover. Group NameSpecify a group name. PPPoE UsernameSpecify the username provided by your ISP. PPPoE PasswordSpecify the password provided by your ISP. Confirm PasswordSpecify the password provided by your ISP. PPP AuthenticationSelect either PAP, CHAP, or MSCHAP. PAP passes cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE. Store Username and Password in Local FlashStores the username and password in a special location of NVRAM on the security appliance. If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator. IP Address and Route Settingsdisplays the PPPoE IP Address and Route Settings dialog where you can choose addressing and tracking options.

DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Add/Edit Interfaces dialog box, see the system Add/Edit Interface dialog box.

Add/Edit Interface > Advanced


The Add/Edit Interface > Advanced tab lets you set the MTU and MAC address of the interface.
Fields

MTUSets the MTU from 300 to 65,535 bytes. The default is 1500 bytes. For multiple context mode, set the MTU in the context configuration.

Cisco ASDM User Guide OL-10106-04

4-9

Chapter 4 Configuring the Interfaces

Configuring Interfaces

Mac Address CloningManually assigns MAC addresses. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the How the Security Appliance Classifies Packets section on page 7-2 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the Security Contexts section on page 7-16 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this option to override the generated address. For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
Active Mac AddressAssigns a MAC address to the interface in H.H.H format, where H is a

16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
Standby Mac AddressFor use with failover, set the Standby Mac Address. If the active unit

fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Add/Edit Interfaces dialog box, see the system Add/Edit Interface dialog box.

PPPoE IP Address and Route Settings


The PPPoE IP Address and Route Settings dialog lets you choose addressing and tracking options for PPPoE connections.
Fields

IP Address areaLets you choose between Obtaining an IP address using PPP or specifying an IP address, and contains the following fields:
Obtain IP Address using PPPSelect to enable the security appliance to use PPP to get an IP

address.
Specify an IP AddressSpecify an IP address and mask for the security appliance to use instead

of negotiating with the PPPoE server to assign an address dynamically.

Route Settings AreaLets you configure route and tracking settings and contains the following fields:

Cisco ASDM User Guide

4-10

OL-10106-04

Chapter 4

Configuring Interfaces Configuring the Interfaces

Obtain default route using PPPoESets the default routes when the PPPoE client has not yet

established a connection. When using this option, you cannot have a statically defined route in the configuration. PPPoE learned route metricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1.
Enable trackingCheck this checkbox to enable route tracking for PPPoE-learned routes.

Note

Route tracking is only available in single, routed mode.

Primary TrackSelect this option to configure the primary PPPoE route tracking. Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the

IP address of the next hop gateway for the route, but it could be any network object available off of that interface.
SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to

2147483647.
Monitor OptionsClick this button to open the Route Monitoring Options dialog box. In the

Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.
Secondary TrackSelect this option to configure the secondary PPPoE route tracking. Secondary Track IDA unique identifier for the route tracking process. Valid values are from

1 to 500.

Hardware Properties
The Hardware Properties dialog box lets you set the speed and duplex of physical interfaces, and for an interface SSM, the media type. In multiple context mode, configure these settings in the system configuration.
Fields

Hardware PortDisplay only. Displays the interface ID. MAC AddressDisplay only. Displays the Interface MAC address. Media TypeSets the media type to RJ45 or SFP. SFP is only available for SSM interfaces on the ASA 5500 series adaptive security appliance. The default is RJ45. DuplexLists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. SpeedLists the speed options for the interface. The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, and you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the

Cisco ASDM User Guide OL-10106-04

4-11

Chapter 4 Configuring the Interfaces

Configuring Interfaces

auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Hardware Properties dialog box, see the system Hardware Properties dialog box.

Cisco ASDM User Guide

4-12

OL-10106-04

CH A P T E R

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.

Note

To configure interfaces of other models, see Chapter 4, Configuring Interfaces. This chapter includes the following sections:

Interface Overview, page 5-13 Configuring VLAN Interfaces, page 5-17 Configuring Switch Ports, page 5-23

Interface Overview
This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes the following topics:

Understanding ASA 5505 Ports and Interfaces, page 5-14 Maximum Active VLAN Interfaces for Your License, page 5-14 Default Interface Configuration, page 5-16 VLAN MAC Addresses, page 5-16 For same security interfaces, you can configure established commands for both directions., page 5-17 Security Level Overview, page 5-17

Cisco ASDM User Guide OL-10106-04

5-13

Chapter 5 Interface Overview

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Understanding ASA 5505 Ports and Interfaces


The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:

Physical switch portsThe adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the For same security interfaces, you can configure established commands for both directions. section on page 5-17 for more information. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch. Logical VLAN interfacesIn routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the Maximum Active VLAN Interfaces for Your License section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business, and Internet VLANs.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.

Note

Subinterfaces are not available for the ASA 5505 adaptive security appliance.

Maximum Active VLAN Interfaces for Your License


In transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured.

Cisco ASDM User Guide

5-14

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview

With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 5-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
Figure 5-1 ASA 5505 Adaptive Security Appliance with Base License

Internet

ASA 5505 with Base License

Home

Business

With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to accomodate multiple VLANs per port.

Note

The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover. See Figure 5-2 for an example network.
Figure 5-2 ASA 5505 Adaptive Security Appliance with Security Plus License

Backup ISP

Primary ISP

ASA 5505 with Security Plus License

153364

DMZ

Failover ASA 5505

Failover Link

Inside

153365

Cisco ASDM User Guide OL-10106-04

5-15

Chapter 5 Interface Overview

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Default Interface Configuration


If your adaptive security appliance includes the default factory configuration, your interfaces are configured as follows:

The outside interface (security level 0) is VLAN 2. Ethernet0/0 is assigned to VLAN 2 and is enabled. The VLAN 2 IP address is obtained from the DHCP server. The inside interface (security level 100) is VLAN 1 Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled. VLAN 1 has IP address 192.168.1.1.

Restore the default factory configuration using the configure factory-default command. Use the procedures in this chapter to modify the default configuration, for example, to add VLAN interfaces. If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other parameters are configured.

VLAN MAC Addresses


In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated MAC addresses if desired by manually assigning MAC addresses.

Power Over Ethernet


Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the switch ports. If you shut down the switch port from the Edit Switch Port dialog box, you disable power to the device. Power is restored when you enter reenable it. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command.

Monitoring Traffic Using SPAN


If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring. The port for which you enable SPAN (called the destination port) receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port. See the switchport monitor command in the Cisco ASA 5500 Series Command Reference for more information.

Cisco ASDM User Guide

5-16

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

Security Level Overview


Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 0. Other networks, such as a home network can be in between. You can assign interfaces to the same security level. The level controls the following behavior:

Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection enginesSome application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections. SQL*Net inspection engineIf a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the adaptive security appliance.

FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions.

Configuring VLAN Interfaces


For information about how many VLANs you can configure, see the Maximum Active VLAN Interfaces for Your License section on page 5-14.

Note

If you are using failover, do not use this procedure to name interfaces that you are reserving for failover communications. See Chapter 12, Failover, to configure the failover link. If you enabled Easy VPN, you cannot add or delete VLAN interfaces, nor can you edit the security level or interface name. We suggest that you finalize your interface configuration before you enable Easy VPN. This section includes the following topics:

Cisco ASDM User Guide OL-10106-04

5-17

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Interfaces > Interfaces, page 5-18 Add/Edit Interface > General, page 5-19 Add/Edit Interface > Advanced, page 5-22

Interfaces > Interfaces


The Interfaces tab displays configured VLAN interfaces. You can add or delete VLAN interfaces, and also enable communication between interfaces on the same security level or enable traffic to enter and exit the same interface. Transparent firewall mode allows only two interfaces to pass through traffic.
Fields

NameDisplays the interface name. Switch PortsShows the switch ports assigned to this VLAN interface. EnabledIndicates if the interface is enabled, Yes or No. Security LevelDisplays the interface security level between 0 and 100. By default, the security level is 0. IP AddressDisplays the IP address, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. To set the IP address for the context or the security appliance, see the Management IP pane. Subnet MaskFor routed mode only. Displays the subnet mask. Restrict Traffic FlowShows if this interface is restricted from initiating contact to another VLAN. With the Base license, you can only configure a third VLAN if you use this option to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the Restrict Traffic Flow option on the home VLAN; the business network can access the home network, but the home network cannot access the business network. If you already have two VLAN interfaces configured with a name, be sure to enable the Restrict Traffic Flow option before you name the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.

Note

If you upgrade to the Security Plus license, you can remove this option and achieve full functionality for this interface. If you leave this option enabled, this interface continues to be limited even after upgrading.

Backup InterfaceShows the backup ISP interface for this interface. If this interface fails, the backup interface takes over. The backup interface does not pass through traffic unless the default route through the primary interface fails. This option is useful for Easy VPN; when the backup interface becomes the primary, the security appliance moves the VPN rules to the new primary interface.

Cisco ASDM User Guide

5-18

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

To ensure that traffic can pass over the backup interface in case the primary fails, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. For example, you can configure two default routes: one for the primary interface with a lower administrative distance, and one for the backup interface with a higher distance. To configure dual ISP support, see the Static Route Tracking section on page 14-29.

VLANShows the VLAN ID for this interface. Management OnlyIndicates if the interface allows traffic to the security appliance or for management purposes only. MTUDisplays the MTU. By default, the MTU is 1500. Active MAC AddressShows the active MAC address, if you assigned one manually on the Add/Edit Interface > Advanced tab. Standby MAC AddressShows the standby MAC address (for failover), if you assigned one manually. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds an interface. If you enabled Easy VPN, you cannot add VLAN interfaces. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. If you enabled Easy VPN, you cannot edit the security level or interface name. DeleteDeletes the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane. If you enabled Easy VPN, you cannot delete VLAN interfaces. Enable traffic between two or more interfaces which are configured with same security levelsEnables communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Enable traffic between two or more hosts connected to the same interfaceEnables traffic to enter and exit the same interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface > General


The Add/Edit Interface > General tab lets you add or edit a VLAN interface.

Cisco ASDM User Guide OL-10106-04

5-19

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

If you intend to use an interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. If you enabled Easy VPN, you cannot edit the security level or interface name. We suggest that you finalize your interface configuration before you enable Easy VPN. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Switch PortsAssigns switch ports to this VLAN interface.


Available Switch PortsLists all switch ports, even if they are currently assigned to a different

interface.
Selected Switch PortsLists the switch ports assigned to this interface. AddAdds a selected switch port to the interface. You see the following message:

switchport is associated with name interface. Adding it to this interface, will remove it from name interface. Do you want to continue? Click OK to add the switch port. You will always see this message when adding a switch port to an interface; switch ports are assigned to the VLAN 1 interface by default even when you do not have any configuration.
RemoveRemoves a switch port from an interface. Because the default VLAN interface for

switch ports is VLAN 1, removing a switch port from an interface essentially just reassigns that switch port to VLAN 1.

Enable InterfaceEnables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Dedicate this interface to management onlySets the interface to accept traffic to the security appliance only, and not through traffic. You cannot set a primary or backup ISP interface to be management only. Interface NameSets an interface name up to 48 characters in length. Security LevelSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. IP AddressFor routed mode only, sets the IP address.
Use Static IPManually sets the IP address.

IP addressSets the IP address. Subnet MaskSets the subnet mask.


Obtain Address via DHCPDynamically sets the IP address using DHCP.

For the client identifier in DHCP option 61To force a MAC address to be stored inside a DHCP request packet for option 61 instead of the default internally-generated string, click Use MAC address. Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. To use the default string, click Use Cisco-<MAC>-<interface_name>-<host>. Obtain Default Route Using DHCPObtains a default route from the DHCP server so that you do not need to configure a default static route.

Cisco ASDM User Guide

5-20

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

Retry CountSets the number of times between 4 and 16 that the security appliance resends a DHCP request if it does not receive a reply after the first attempt. The total number of attempts is the retry count plus the first attempt. For example, if you set the retry count to 4, the security appliance sends up to 5 DHCP requests. DHCP Learned Route MetricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1. Enable trackingCheck this checkbox to enable route tracking for DHCP-learned routes.

Note

Route tracking is only available in single, routed mode.

Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface. SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647. Monitoring OptionsClick this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process. Enable DHCP Broadcast flag for DHCP request and discover messagesAllows the security appliance to set the broadcast flag in the DHCP client packet. This option sets the broadcast flag to 1 in the DHCP packet header when the DHCP client sends a discover requesting an IP address. The DHCP server listens to this broadcast flag and broadcasts the reply packet if the flag is set to 1. Without this option, the broadcast flag is set to 0, and the DHCP server unicasts the reply packets to the client with the offered IP address. The DHCP client can receive both broadcast and unicast offers from the DHCP server. Renew DHCP LeaseRenews the DHCP lease.
Use PPPoEDynamically sets the IP address using PPPoE.

Group NameSpecify a group name. PPPoE UsernameSpecify the username provided by your ISP. PPPoE PasswordSpecify the password provided by your ISP. Confirm PasswordSpecify the password provided by your ISP. PPP AuthenticationSelect either PAP, CHAP, or MSCHAP. PAP passes cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE. Store Username and Password in Local FlashStores the username and password in a special location of NVRAM on the security appliance. If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator.

Cisco ASDM User Guide OL-10106-04

5-21

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

IP Address and Route Settingsdisplays the PPPoE IP Address and Route Settings dialog where you can choose addressing and tracking options. See the PPPoE IP Address and Route Settings section on page 4-10.

DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface > Advanced


The Add/Edit Interface > Advanced tab lets you set the MTU, VLAN ID, MAC addresses, and other options.
Fields

MTUSets the MTU from 300 to 65,535 bytes. The default is 1500 bytes. For multiple context mode, set the MTU in the context configuration. VLAN IDSets the VLAN ID for this interface between 1 and 4090. If you do not want to assign the VLAN ID, ASDM assigns one for you randomly. Mac Address CloningManually assigns MAC addresses. By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
Active Mac AddressAssigns a MAC address to the interface in H.H.H format, where H is a

16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
Standby Mac AddressFor use with failover, set the Standby Mac Address. If the active unit

fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Block TrafficRestrict this VLAN interface from initiating contact to another VLAN. With the Base license, you can only configure a third VLAN if you use this option to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the Restrict Traffic Flow option on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

Cisco ASDM User Guide

5-22

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports

If you already have two VLAN interfaces configured with a name, be sure to enable the Restrict Traffic Flow option before you name the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance and will not allow you to configure one.

Note

If you upgrade to the Security Plus license, you can remove this option and achieve full functionality for this interface. If you leave this option enabled, this interface continues to be limited even after upgrading.

Block Traffic from this Interface toChoose a VLAN ID in the list.

Select Backup InterfaceShows the backup ISP interface for this interface. If this interface fails, the backup interface takes over. The backup interface does not pass through traffic unless the default route through the primary interface fails. This option is useful for Easy VPN; when the backup interface becomes the primary, the security appliance moves the VPN rules to the new primary interface. To ensure that traffic can pass over the backup interface in case the primary fails, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. For example, you can configure two default routes: one for the primary interface with a lower administrative distance, and one for the backup interface with a higher distance. To configure dual ISP support, see the Static Route Tracking section on page 14-29.
Backup InterfaceChoose a VLAN ID in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Configuring Switch Ports


This section describes how to configure switch ports, and includes the following topics:

Interfaces > Switch Ports, page 5-24 Edit Switch Port, page 5-24

Caution

The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop.

Cisco ASDM User Guide OL-10106-04

5-23

Chapter 5 Configuring Switch Ports

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Interfaces > Switch Ports


The Switch Ports tab displays the switch port parameters.
Fields

Switch PortLists the switch ports in the security appliance. EnabledShows if the switch port is enabled, Yes or No. Associated VLANsLists the VLAN interfaces to which the switch port is assigned. A trunk switch port can be associated with multiple VLANs. Associated Interface NamesLists the VLAN interface names. ModeThe mode, Access or Trunk. Access ports can be assigned to one VLAN. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. ProtectedShows if this switch port is protected, Yes or No. This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. EditEdits the switch port.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit Switch Port


The Edit Switch Port dialog box lets you configure the mode, assign a switch port to a VLAN, and set the Protected option.
Fields

Switch PortDisplay only. Shows the selected switch port ID. Enable Switch PortEnables this switch port. Mode and VLAN IDsSets the mode and the assigned VLANs.
Access VLAN IDSets the mode to access mode. Enter the VLAN ID to which you want to

assign this switch port. By default, the VLAN ID is derived from the VLAN interface configuration in Interfaces > Interfaces. You can change the VLAN assignment in this dialog box. Be sure to apply the change to update the Interfaces > Interfaces tab with the new

Cisco ASDM User Guide

5-24

OL-10106-04

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports

information. If you want to specify a VLAN that has not yet been added, we suggest you add the VLAN from the Interfaces > Interfaces tab and specify the switch port in the Add/Edit Interface > General tab rather than specifying it in this dialog box; in either case, you need to add the VLAN on the Interfaces > Interfaces tab and assign the switch port to it.
Trunk VLAN IDsSets the mode to trunk mode using 802.1Q tagging. Trunk mode is available

only with the Security Plus license. Enter the VLAN IDs to which you want to assign this switch port, separated by commas. If the VLANs are already in your configuration, after you apply the change, the Interfaces > Interfaces tab shows this switch port added to each VLAN. If you want to specify a VLAN that has not yet been added, we suggest you add the VLAN from the Interfaces > Interfaces tab and specify the switch port in the Add/Edit Interface > General tab rather than specifying it in this dialog box; in either case, you need to add the VLAN on the Interfaces > Interfaces tab and assign the switch port to it.

Note

You can also allow a native VLAN on the trunk port. Use the switchport trunk native vlan vlan_id command at the Command Line Interface tool.

IsolatedThis option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
IsolatedSets this switch port as a protected port.

DuplexLists the duplex options for the interface, including Full, Half, or Auto. The Auto setting is the default. If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. SpeedThe Auto setting is the default. If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

5-25

Chapter 5 Configuring Switch Ports

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Cisco ASDM User Guide

5-26

OL-10106-04

CH A P T E R

Global Objects
The Global Objects pane provides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. For example, once you define the hosts and networks that are covered by your security policy, you can select the host or network to which a feature applies, instead of having to redefine it every time. This saves time and ensures consistency and accuracy of your security policy. When you need to add or delete a host or network, you can use the Global Objects pane to change it in a single place. This chapter includes the following sections:

Using Network Objects and Groups, page 6-1 Configuring Service Groups, page 6-5 Configuring Class Maps, page 6-8 Configuring Inspect Maps, page 6-28 Configuring Regular Expressions, page 6-101 TCP Maps, page 6-107 Configuring Time Ranges, page 6-110

Using Network Objects and Groups


This section describes how to use network objects and groups, and includes the following topics:

Network Object Overview, page 6-1 Configuring a Network Object, page 6-2 Configuring a Network Object Group, page 6-3 Using Network Objects and Groups in a Rule, page 6-4 Viewing the Usage of a Network Object or Group, page 6-4

Network Object Overview


Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

Cisco ASDM User Guide OL-10106-04

6-1

Chapter 6 Using Network Objects and Groups

Global Objects

You can add network objects manually, or you can let ASDM automatically create objects from existing configuration, such as access rules and AAA rules. If you edit one of these derived objects, it persists even if you later delete the rule that used it. Otherwise, derived objects only reflect the current configuration if you refresh. A network object group is a group containing multiple hosts and networks together. A network object group can also contain other network object groups. You can then specify the network object group as the source address or destination address in an access rule. When you are configuring rules, the ASDM window includes an Addresses side pane at the right that shows available network objects and network object groups; you can add, edit, or delete objects directly in the Addresses pane. You can also drag additional network objects and groups from the Addresses pane to the source or destination of a selected access rule.

Configuring a Network Object


To configure a network object, perform the following steps:
Step 1

In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object to add a new object, or choose an object and click Edit. You can also add or edit network objects from the Addresses side pane in a rules window, or when you are adding a rule. To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed. The Add/Edit Network Object dialog box appears. Fill in the following values:

Step 2

Name(Optional) The object name. Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less. IP AddressThe IP address, either a host or network address. NetmaskThe subnet mask for the IP address. Description(Optional) The description of the network object.

Step 3

Click OK. You can now use this network object when you create a rule. For an edited object, the change is inherited automatically by any rules using the object.

Note

You cannot delete a network object that is in use.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-2

OL-10106-04

Chapter 6

Global Objects Using Network Objects and Groups

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring a Network Object Group


To configure a network object group, perform the following steps:
Step 1

In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object Group to add a new object group, or choose an object group and click Edit. You can also add or edit network object groups from the Addresses side pane in a rules window, or when you are adding a rule. To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed. The Add/Edit Network Object Group dialog box appears. In the Group Name field, enter a group name. Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less.

Step 2

Step 3 Step 4

(Optional) In the Description field, enter a description up to 200 characters in length. You can add existing objects or groups to the new group (nested groups are allowed), or you can create a new address to add to the group:

To add an existing network object or group to the new group, double-click the object in the Existing Network Objects/Groups pane. You can also select the object, and then click Add. The object or group is added to the right-hand Members in Group pane.

To add a new address, fill in the values under the Create New Network Object Member area, and click Add. The object or group is added to the right-hand Members in Group pane. This address is also added to the network object list.

To remove an object, double-click it in the Members in Group pane, or click Remove.


Step 5

After you add all the member objects, click OK. You can now use this network object group when you create a rule. For an edited object group, the change is inherited automatically by any rules using the group.

Note

You cannot delete a network object group that is in use.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

6-3

Chapter 6 Using Network Objects and Groups

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Using Network Objects and Groups in a Rule


When you create a rule, you can enter an IP address manually, or you can browse for a network object or group to use in the rule. To use a network object or group in a rule, perform the following steps:
Step 1

From the rule dialog box, click the ... browse button next to the source or destination address field. The Browse Source Address or Browse Destination Address dialog box appears. You can either add a new network object or group, or choose an existing network object or group by double-clicking it. To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

Step 2

To add a new network object, see the Configuring a Network Object section on page 6-2. To add a new network object group, see the Configuring a Network Object Group section on page 6-3.

After you add a new object or double-click an existing object, it appears in the Selected Source/Destination field. For access rules, you can add multiple objects and groups in the field, separated by commas.
Step 3

Click OK. You return to the rule dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Viewing the Usage of a Network Object or Group


To view what rules use a network object or group, in the Configuration > Global Objects > Network Objects/Group pane, click the magnifying glass Find icon.

Cisco ASDM User Guide

6-4

OL-10106-04

Chapter 6

Global Objects Configuring Service Groups

The Usages dialog box appears listing all the rules currently using the network object or group. This dialog box also lists any Network Objects/Groups that contain the object.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Service Groups


This section describes how to configure service groups, and includes the following topics:

Service Groups, page 6-5 Add/Edit Service Group, page 6-6 Browse Service Groups, page 6-7

Service Groups
The Service Groups pane lets you associate multiple services into a named group. You can create service groups for each of the following types:

TCP ports UDP ports TCP-UDP ports ICMP types IP protocols

Multiple service groups can be nested into a group of groups and used as a single group. You can use a service group for most configurations that require you to identify a port, ICMP type, or protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a side pane at the right that shows available service groups and other global objects; you can add, edit, or delete objects directly in the side pane.
Fields

AddAdds a service group. Choose the type of service groups you want to add from the drop-down list. EditEdits a service group. DeleteDeletes a service group. When a service group is deleted, it is removed from all service groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty. FindFilters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.

Cisco ASDM User Guide OL-10106-04

6-5

Chapter 6 Configuring Service Groups

Global Objects

Filter fieldEnter the name of the service group. The wildcard characters asterisk (*) and

question mark (?) are allowed.


FilterRuns the filter. ClearClears the Filter field.

TypeLets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all service groups, choose All. NameLists the service group names. Click the plus (+) icon next to the name to expand the service group so you can view the services. Click the minus (-) icon to collapse the service group. DescriptionLists the service group descriptions.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Service Group


The Add/Edit Service Group dialog box lets you assign services to a service group. This dialog box name matches the type of service group you are adding; for example, if you are adding a TCP service group, the name is Add/Edit TCP Service Group.
Fields

Group NameEnter the group name, up to 64 characters in length. The name must be unique for all object groups. A service group name cannot share a name with a network object group. DescriptionEnter a description of this service group, up to 200 characters in length. Members Not in GroupIdentifies items that can be added to the service group.
Service/Service Group, ICMP Type/ICMP Group, or Protocol/Protocol GroupThe title of this

table depends on the type of service group you are adding. Choose from already defined service groups, or choose from a list of commonly used port, type, or protocol names. NameLists the already defined service groups and commonly used ports, types, or protocols.
Port #, ICMP #, or Protocol #The title of this table depends on the type of service group you

are adding. Lets you add a new item, either by number or name. For TCP, UDP, and TCP-UDP service groups, you can enter a range of ports numbers.

Members in GroupShows items that are already added to the service group. AddAdds the selected item to the service group. RemoveRemoves the selected item from the service group.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-6

OL-10106-04

Chapter 6

Global Objects Configuring Service Groups

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Browse Service Groups


The Browse Service Groups dialog box lets you choose a service group. This dialog box is used in multiple configuration screens and is named appropriately for your current task. For example, from the Add/Edit Access Rule dialog box, this dialog box is named Browse Source Port or Browse Destination Port.
Fields

AddAdds a service group. EditEdits the selected service group. DeleteDeletes the selected service group. FindFilters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name of the service group. The wildcard characters asterisk (*) and

question mark (?) are allowed.


FilterRuns the filter. ClearClears the Filter field.

TypeLets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all types, choose All. Typically, the type of rule you configure can only use one type of service group; you cannot select a UDP service group for a TCP access rule. NameShows the name of the service group. Click the plus (+) icon next to the name of an item to expand it. Click the minus (-) icon to collapse the item.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-7

Chapter 6 Configuring Class Maps

Global Objects

Configuring Class Maps


An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP. This section describes how to configure inspection class maps, and includes the following topics:

DNS Class Map, page 6-8 FTP Class Map, page 6-12 H.323 Class Map, page 6-15 HTTP Class Map, page 6-17 IM Class Map, page 6-22 SIP Class Map, page 6-25

DNS Class Map


The DNS Class Map panel lets you configure DNS class maps for DNS inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the DNS class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the DNS class map. ValueShows the value to match in the DNS class map.

DescriptionShows the description of the class map. AddAdds match conditions for the DNS class map. EditEdits match conditions for the DNS class map. DeleteDeletes match conditions for the DNS class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-8

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Add/Edit DNS Traffic Class Map


The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map.
Fields

NameEnter the name of the DNS class map, up to 40 characters in length. DescriptionEnter the description of the DNS class map. AddAdds a DNS class map. EditEdits a DNS class map. DeleteDeletes a DNS class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Match Criterion


The Add/Edit DNS Match Criterion dialog box lets you define the match criterion and value for the DNS class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of DNS traffic to match.


Header FlagMatch a DNS flag in the header. TypeMatch a DNS query or resource record type. ClassMatch a DNS query or resource record class. QuestionMatch a DNS question. Resource RecordMatch a DNS resource record. Domain NameMatch a domain name from a DNS query or resource record.

Header Flag Criterion ValuesSpecifies the value details for the DNS header flag match.
Match OptionSpecifies either an exact match or match all bits (bit mask match). Match ValueSpecifies to match either the header flag name or the header flag value.

Header Flag NameLets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Cisco ASDM User Guide OL-10106-04

6-9

Chapter 6 Configuring Class Maps

Global Objects

Header Flag ValueLets you enter an arbitrary 16-bit value in hex to match.

Type Criterion ValuesSpecifies the value details for the DNS type match.
DNS Type Field NameLists the DNS types to select.

AIPv4 address NSAuthoritative name server CNAMECanonical name SOAStart of a zone of authority TSIGTransaction signature IXFRIncremental (zone) transfer AXFRFull (zone) transfer
DNS Type Field ValueSpecifies to match either a DNS type field value or a DNS type field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Class Criterion ValuesSpecifies the value details for the DNS class match.
DNS Class Field NameSpecifies to match on internet, the DNS class field name. DNS Class Field ValueSpecifies to match either a DNS class field value or a DNS class field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Question Criterion ValuesSpecifies to match on the DNS question section. Resource Record Criterion ValuesSpecifies to match on the DNS resource record section.
Resource Record Lists the sections to match.

AdditionalDNS additional resource record AnswerDNS answer resource record AuthorityDNS authority resource record

Domain Name Criterion ValuesSpecifies to match on the DNS domain name.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-10

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Regular Expressions


The Manage Regular Expressions dialog box lets you configure Regular Expressions for use in pattern matching. Regular expressions that start with _default are default regular expressions and cannot be modified or deleted.
Fields

NameShows the regular expression names. ValueShows the regular expression definitions. AddAdds a regular expression. EditEdits a regular expression. DeleteDeletes a regular expression.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Regular Expression Class Maps


The Manage Regular Expression Class Maps dialog box lets you configure regular expression class maps. See Regular Expressions for more information.
Fields

NameShows the regular expression class map name. Match ConditionsShows the match type and regular expressions in the class map.
Match TypeShows the match type, which for regular expressions is always a positive match

type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched.
Regular ExpressionLists the regular expressions included in each class map.

Cisco ASDM User Guide OL-10106-04

6-11

Chapter 6 Configuring Class Maps

Global Objects

DescriptionShows the description of the class map. AddAdds a regular expression class map. EditEdits a regular expression class map. DeleteDeletes a regular expression class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Class Map


The FTP Class Map panel lets you configure FTP class maps for FTP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the FTP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the FTP class map. ValueShows the value to match in the FTP class map.

DescriptionShows the description of the class map. AddAdds an FTP class map. EditEdits an FTP class map. DeleteDeletes an FTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-12

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Add/Edit FTP Traffic Class Map


The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.
Fields

NameEnter the name of the FTP class map, up to 40 characters in length. DescriptionEnter the description of the FTP class map. AddAdds an FTP class map. EditEdits an FTP class map. DeleteDeletes an FTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit FTP Match Criterion


The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of FTP traffic to match.


Request-CommandMatch an FTP request command. File NameMatch a filename for FTP transfer. File TypeMatch a file type for FTP transfer. ServerMatch an FTP server. User NameMatch an FTP user.

Request-Command Criterion ValuesSpecifies the value details for the FTP request command match.
Request CommandLets you select one or more request commands to match.

APPEAppend to a file. CDUPChange to the parent of the current directory. DELEDelete a file at the server site.

Cisco ASDM User Guide OL-10106-04

6-13

Chapter 6 Configuring Class Maps

Global Objects

GETFTP client command for the retr (retrieve a file) command. HELPHelp information from the server. MKDCreate a directory. PUTFTP client command for the stor (store a file) command. RMDRemove a directory. RNFRRename from. RNTORename to. SITESpecify a server specific command. STOUStore a file with a unique name.

File Name Criterion ValuesSpecifies to match on the FTP transfer filename.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

File Type Criterion ValuesSpecifies to match on the FTP transfer file type.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Server Criterion ValuesSpecifies to match on the FTP server.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

User Name Criterion ValuesSpecifies to match on the FTP user.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-14

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Class Map


The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the H.323 class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the H.323 class map. ValueShows the value to match in the H.323 class map.

DescriptionShows the description of the class map. AddAdds an H.323 class map. EditEdits an H.323 class map. DeleteDeletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Traffic Class Map


The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map.
Fields

NameEnter the name of the H.323 class map, up to 40 characters in length. DescriptionEnter the description of the H.323 class map.

Cisco ASDM User Guide OL-10106-04

6-15

Chapter 6 Configuring Class Maps

Global Objects

AddAdds an H.323 class map. EditEdits an H.323 class map. DeleteDeletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Match Criterion


The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of H.323 traffic to match.


Called PartyMatch the called party. Calling PartyMatch the calling party. Media TypeMatch the media type.

Called Party Criterion ValuesSpecifies to match on the H.323 called party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match on the H.323 calling party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Media Type Criterion ValuesSpecifies which media type to match.

Cisco ASDM User Guide

6-16

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

AudioMatch audio type. VideoMatch video type. DataMatch data type.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Class Map


The HTTP Class Map panel lets you configure HTTP class maps for HTTP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the HTTP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the HTTP class map. ValueShows the value to match in the HTTP class map.

DescriptionShows the description of the class map. AddAdds an HTTP class map. EditEdits an HTTP class map. DeleteDeletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-17

Chapter 6 Configuring Class Maps

Global Objects

Add/Edit HTTP Traffic Class Map


The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map.
Fields

NameEnter the name of the HTTP class map, up to 40 characters in length. DescriptionEnter the description of the HTTP class map. AddAdds an HTTP class map. EditEdits an HTTP class map. DeleteDeletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Match Criterion


The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of HTTP traffic to match.


Request/Response Content Type MismatchSpecifies that the content type in the response

must match one of the MIME types in the accept field of the request.
Request ArgumentsApplies the regular expression match to the arguments of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Body LengthApplies the regular expression match to the body of the request with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.

Cisco ASDM User Guide

6-18

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Request BodyApplies the regular expression match to the body of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header Field CountApplies the regular expression match to the header of the request

with a maximum number of header fields. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Request Header Field LengthApplies the regular expression match to the header of the

request with field length greater than the bytes specified. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request Header FieldApplies the regular expression match to the header of the request.

PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Cisco ASDM User Guide OL-10106-04

6-19

Chapter 6 Configuring Class Maps

Global Objects

Request Header CountApplies the regular expression match to the header of the request with

a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Request Header LengthApplies the regular expression match to the header of the request with

length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Request Header non-ASCIIMatches non-ASCII characters in the header of the request. Request MethodApplies the regular expression match to the method of the request.

MethodSpecifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request URI LengthApplies the regular expression match to the URI of the request with

length greater than the bytes specified. Greater Than LengthEnter a URI length value in bytes.
Request URIApplies the regular expression match to the URI of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response BodyApplies the regex match to the body of the response.

ActiveXSpecifies to match on ActiveX. Java AppletSpecifies to match on a Java Applet. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Body LengthApplies the regular expression match to the body of the response with

field length greater than the bytes specified.

Cisco ASDM User Guide

6-20

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header Field CountApplies the regular expression match to the header of the

response with a maximum number of header fields. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Response Header Field LengthApplies the regular expression match to the header of the

response with field length greater than the bytes specified. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header FieldApplies the regular expression match to the header of the response.

PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Header CountApplies the regular expression match to the header of the response

with a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Response Header LengthApplies the regular expression match to the header of the response

with length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Response Header non-ASCIIMatches non-ASCII characters in the header of the response.

Cisco ASDM User Guide OL-10106-04

6-21

Chapter 6 Configuring Class Maps

Global Objects

Response Status LineApplies the regular expression match to the status line.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IM Class Map
The IM Class Map panel lets you configure IM class maps for IM inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the IM class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the IM class map. ValueShows the value to match in the IM class map.

DescriptionShows the description of the class map. AddAdds an IM class map. EditEdits an IM class map. DeleteDeletes an IM class map.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-22

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Traffic Class Map


The Add/Edit IM Traffic Class Map dialog box lets you define a IM class map.
Fields

NameEnter the name of the IM class map, up to 40 characters in length. DescriptionEnter the description of the IM class map. AddAdds an IM class map. EditEdits an IM class map. DeleteDeletes an IM class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Match Criterion


The Add/Edit IM Match Criterion dialog box lets you define the match criterion and value for the IM class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of IM traffic to match.


ProtocolMatch IM protocols. ServiceMatch IM services. VersionMatch IM file transfer service version. Client Login NameMatch client login name from IM service. Client Peer Login NameMatch client peer login name from IM service.

Cisco ASDM User Guide OL-10106-04

6-23

Chapter 6 Configuring Class Maps

Global Objects

Source IP AddressMatch source IP address. Destination IP AddressMatch destination IP address. FilenameMatch filename form IM file transfer service.

Protocol Criterion ValuesSpecifies which IM protocols to match.


Yahoo! MessengerSpecifies to match Yahoo! Messenger instant messages. MSN MessengerSpecifies to match MSN Messenger instant messages.

Service Criterion ValuesSpecifies which IM services to match.


ChatSpecifies to match IM message chat service. ConferenceSpecifies to match IM conference service. File TransferSpecifies to match IM file transfer service. GamesSpecifies to match IM gaming service. Voice ChatSpecifies to match IM voice chat service (not available for Yahoo IM) Web CamSpecifies to match IM webcam service.

Version Criterion ValuesSpecifies to match the version from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Login Name Criterion ValuesSpecifies to match the client login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Peer Login Name Criterion ValuesSpecifies to match the client peer login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Source IP Address Criterion ValuesSpecifies to match the source IP address of the IM service.
IP AddressEnter the source IP address of the IM service. IP MaskMask of the source IP address.

Cisco ASDM User Guide

6-24

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Destination IP Address Criterion ValuesSpecifies to match the destination IP address of the IM service.
IP AddressEnter the destination IP address of the IM service. IP MaskMask of the destination IP address.

Filename Criterion ValuesSpecifies to match the filename from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Class Map


The SIP Class Map panel lets you configure SIP class maps for SIP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the SIP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the SIP class map. ValueShows the value to match in the SIP class map.

DescriptionShows the description of the class map. AddAdds a SIP class map. EditEdits a SIP class map. DeleteDeletes a SIP class map.

Cisco ASDM User Guide OL-10106-04

6-25

Chapter 6 Configuring Class Maps

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SIP Traffic Class Map


The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map.
Fields

NameEnter the name of the SIP class map, up to 40 characters in length. DescriptionEnter the description of the SIP class map. AddAdds a SIP class map. EditEdits a SIP class map. DeleteDeletes a SIP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SIP Match Criterion


The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SIP traffic to match.


Called PartyMatch the called party as specified in the To header. Calling PartyMatch the calling party as specified in the From header. Content LengthMatch the Content Length header, between 0 and 65536.

Cisco ASDM User Guide

6-26

OL-10106-04

Chapter 6

Global Objects Configuring Class Maps

Content TypeMatch the Content Type header. IM SubscriberMatch the SIP IM subscriber. Message PathMatch the SIP Via header. Request MethodMatch the SIP request method. Third-Party RegistrationMatch the requester of a third-party registration. URI LengthMatch a URI in the SIP headers, between 0 and 65536.

Called Party Criterion ValuesSpecifies to match the called party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match the calling party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Content Length Criterion ValuesSpecifies to match a SIP content header of a length greater than specified.
Greater Than LengthEnter a header length value in bytes.

Content Type Criterion ValuesSpecifies to match a SIP content header type.


SDPMatch an SDP SIP content header type. Regular ExpressionMatch a regular expression.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion ValuesSpecifies to match the IM subscriber. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match.

Cisco ASDM User Guide OL-10106-04

6-27

Chapter 6 Configuring Inspect Maps

Global Objects

ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Message Path Criterion ValuesSpecifies to match a SIP Via header. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Request Method Criterion ValuesSpecifies to match a SIP request method.


Request MethodSpecifies a request method: ack, bye, cancel, info, invite, message, notify,

options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion ValuesSpecifies to match the requester of a third-party registration. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

URI Length Criterion ValuesSpecifies to match a URI of a selected type and greater than the specified length in the SIP headers.
URI typeSpecifies to match either SIP URI or TEL URI. Greater Than LengthLength in bytes.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Inspect Maps


This section describes how to configure inspect maps, and includes the following topics:

DCERPC Inspect Map, page 6-31 DNS Inspect Map, page 6-33 ESMTP Inspect Map, page 6-41 FTP Inspect Map, page 6-49

Cisco ASDM User Guide

6-28

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

GTP Inspect Map, page 6-55 H.323 Inspect Map, page 6-61 HTTP Inspect Map, page 6-67 Instant Messaging (IM) Inspect Map, page 6-75 IPSec Pass Through Inspect Map, page 6-79 MGCP Inspect Map, page 6-82 NetBIOS Inspect Map, page 6-85 RADIUS Inspect Map, page 6-86 SCCP (Skinny) Inspect Map, page 6-88 SIP Inspect Map, page 6-93 SNMP Inspect Map, page 6-100

The algorithm the security appliance uses for stateful application inspection ensures the security of applications and services. Some applications require special handling, and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Each application inspection engine also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. In addition, stateful application inspection audits the validity of the commands and responses within the protocol being inspected. The security appliance helps to prevent attacks by verifying that traffic conforms to the RFC specifications for each protocol that is inspected. The Inspect Maps feature lets you create inspect maps for specific protocol inspection engines. You use an inspect map to store the configuration for a protocol inspection engine. You then enable the configuration settings in the inspect map by associating the map with a specific type of traffic using a global security policy or a security policy for a specific interface. Use the Service Policy Rules tab on the Security Policy pane to apply the inspect map to traffic matching the criteria specified in the service policy. A service policy can apply to a specific interface or to all the interfaces on the security appliance. DCERPC The DCERPC inspection lets you create, view, and manage DCERPC inspect maps. You can use a DCERPC map to inspect DCERPC messages between a client and endpoint mapper, and to apply NAT for the secondary connection, if needed. DCERPC is a specification for a remote procedure call mechanism. The DNS inspection lets you create, view, and manage DNS inspect maps. You can use a DNS map to have more control over DNS messages and to protect against DNS spoofing and cache poisoning. DNS is used to resolve information about domain names, including IP addresses and mail servers.

DNS

Cisco ASDM User Guide OL-10106-04

6-29

Chapter 6 Configuring Inspect Maps

Global Objects

ESMTP

The ESMTP inspection lets you create, view, and manage ESMTP inspect maps. You can use an ESMTP map for application security and protocol conformance to protect against attacks, to block senders and receivers, and to block mail relay. Extended SMTP defines protocol extensions to the SMTP standard. The FTP inspection lets you create, view, and manage FTP inspect maps. FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server. The GTP inspection lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance. The H.323 inspection lets you create, view, and manage H.323 inspect maps. You can use an H.323 map to inspect RAS, H.225, and H.245 VoIP protocols, and for state tracking and filtering. The HTTP inspection lets you create, view, and manage HTTP inspect maps. HTTP is the protocol used for communication between Worldwide Web clients and servers. You can use an HTTP map to enforce RFC compliance and HTTP payload content type. You can also block specific HTTP methods and prevent the use of certain tunneled applications that use HTTP as the transport. The IM inspection lets you create, view, and manage IM inspect maps. You can use an IM map to control the network usage and stop leakage of confidential data and other network threats from IM applications. The IPSec Pass Through inspection lets you create, view, and manage IPSec Pass Through inspect maps. You can use an IPSec Pass Through map to permit certain flows without using an access list. The MGCP inspection lets you create, view, and manage MGCP inspect maps. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents. The NetBIOS inspection lets you create, view, and manage NetBIOS inspect maps. You can use a NetBIOS map to enforce NetBIOS protocol conformance including field count and length consistency, and message checks. The RADIUS Accounting inspection lets you create, view, and manage RADIUS Accounting inspect maps. You can use a RADIUS map to protect against an overbilling attack. The SCCP (Skinny) inspection lets you create, view, and manage SCCP (Skinny) inspect maps. You can use an SCCP map to perform protocol conformance checks and basic state tracking.

FTP

GTP

H.323

HTTP

IM

IPSec Pass Through

MGCP

NetBIOS

RADIUS Accounting

SCCP (Skinny)

Cisco ASDM User Guide

6-30

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

SIP

The SIP inspection lets you create, view, and manage SIP inspect maps. You can use a SIP map for application security and protocol conformance to protect against SIP-based attacks. SIP is a protocol widely used for internet conferencing, telephony, presence, events notification, and instant messaging. The SNMP inspection lets you create, view, and manage SNMP inspect maps. SNMP is a protocol used for communication between network management devices and network management stations. You can use an SNMP map to block a specific SNMP version, including SNMP v1, 2, 2c and 3.

SNMP

DCERPC Inspect Map


The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection. DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection. DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
Low

Pinhole timeout: 00:02:00 Endpoint mapper service: not enforced Endpoint mapper service lookup: enabled Endpoint mapper service lookup timeout: 00:05:00
MediumDefault.

Pinhole timeout: 00:01:00 Endpoint mapper service: not enforced Endpoint mapper service lookup: disabled.
High

Pinhole timeout: 00:01:00

Cisco ASDM User Guide OL-10106-04

6-31

Chapter 6 Configuring Inspect Maps

Global Objects

Endpoint mapper service: enforced Endpoint mapper service lookup: disabled


CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium.

DCERPC Inspect MapsTable that lists the defined DCERPC inspect maps. The defined inspect maps are also listed in the DCERPC area of the Inspect Maps tree. AddAdds the new DCERPC inspect map to the defined list in the DCERPC Inspect Maps table and to the DCERPC area of the Inspect Maps tree. To configure the new DCERPC map, select the DCERPC entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the DCERPC Inspect Maps table and from the DCERPC area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured DCERPC application inspection maps.
Fields

SettingsSpecifies the pinhole timeout and endpoint mapper security settings.


Pinhole TimeoutSets the pinhole timeout. Since a client may use the server information

returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.
Enforce endpoint-mapper serviceEnforces endpoint mapper service during binding. Enforce endpoint-mapper service lookupEnables the lookup operation of the endpoint

mapper service. If disabled, the pinhole timeout is used. Service Lookup TimeoutSets the timeout for pinholes from lookup operation.

Reset to Predefined Security LevelResets the security level settings to the predefined levels of high, medium, or low.
Reset ToResets the security level to high, medium, or low.

ResetResets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-32

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DCERPC Inspect Map Basic/Advanced Viewl


The DCERPC map pane lets you configure basic and advanced settings for previously configured DCERPC application inspection maps.
Fields

NameShows the name of the previously configured DCERPC map. DescriptionEnter the description of the DCERPC map, up to 200 characters in length. Basic ViewShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure security settings. Default LevelSets the security level back to the default level of Medium.

Advanced ViewLets you configure the security settings.


Pinhole TimeoutSets the pinhole timeout. Since a client may use the server information

returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.
Enforce endpoint-mapper serviceEnforces endpoint mapper service during binding. Enforce endpoint-mapper service lookupEnables the lookup operation of the endpoint

mapper service. If disabled, the pinhole timeout is used. Service Lookup TimeoutSets the timeout for pinholes from lookup operation.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map


The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets you change the default configuration values used for DNS application inspection.

Cisco ASDM User Guide OL-10106-04

6-33

Chapter 6 Configuring Inspect Maps

Global Objects

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example. The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further. A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
LowDefault.

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: disabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: disabled TSIG resource record: not enforced
Medium

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: enabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: not enforced
High

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: enabled

Cisco ASDM User Guide

6-34

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: enforced
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

DNS Inspect MapsTable that lists the defined DNS inspect maps. The defined inspect maps are also listed in the DNS area of the Inspect Maps tree. AddAdds the new DNS inspect map to the defined list in the DNS Inspect Maps table and to the DNS area of the Inspect Maps tree. To configure the new DNS map, select the DNS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the DNS Inspect Maps table and from the DNS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured DNS application inspection maps.
Fields

SettingsSpecifies DNS security settings and actions.


Enable DNS guard functionAs part of protocol conformance, this option performs a DNS

query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.
Enable NAT rewrite functionAs part of protocol conformance, this option enables IP address

translation in the A record of the DNS response.


Enable protocol enforcementAs part of protocol conformance, this option enables DNS

message format check, including domain name, label length, compression, and looped pointer check.
Randomize the DNS identifier for DNS queryAs part of protocol conformance, this option

randomizes the DNS identifier in the DNS query message.


Drop packets that exceed specified maximum lengthAs part of filtering, this option drops

packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes.

Cisco ASDM User Guide OL-10106-04

6-35

Chapter 6 Configuring Inspect Maps

Global Objects

Enable Logging when DNS ID mismatch rate exceeds specified rateReports excessive

instances of DNS identifier mismatches. Mismatch Instance ThresholdEnter the maximum number of mismatch instances before a system message log is sent. Time IntervalEnter the time period to monitor (in seconds).
Enforce TSIG record source to be present in DNS messageAs part of protocol conformance,

this option requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced: Drop packetDrops the packet (logging can be either enabled or disabled). LogEnables logging.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map Basic View


The DNS Inspect Map Basic View pane shows the configured settings for the DNS inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured DNS map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-36

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map Advanced View


The DNS Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured DNS map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Protocol ConformanceTab that lets you configure the protocol conformance settings for DNS.
Enable DNS guard functionPerforms a DNS query and response mismatch check using the

identification field in the DNS header. One response per query is allowed to go through the security appliance.
Enable NAT re-write functionEnables IP address translation in the A record of the DNS

response.
Enable protocol enforcementEnables DNS message format check, including domain name,

label length, compression, and looped pointer check.


Randomize the DNS identifier for DNS query Randomizes the DNS identifier in the DNS

query message.
Enforce TSIG resource record to be present in DNS messageRequires that a TSIG resource

record be present in DNS transactions. Actions taken when TSIG is enforced: Drop packetDrops the packet (logging can be either enabled or disabled). LogEnables logging.

FilteringTab that lets you configure the filtering settings for DNS.
Global SettingsApplies settings globally.

Drop packets that exceed specified maximum length (global)Drops packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes.
Server SettingsApplies settings on the server only.

Drop packets that exceed specified maximum lengthDrops packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes. Drop packets sent to server that exceed length indicated by the RRDrops packets sent to the server that exceed the length indicated by the Resource Record.
Client SettingsApplies settings on the client only.

Drop packets that exceed specified maximum lengthDrops packets that exceed maximum length in bytes.

Cisco ASDM User Guide OL-10106-04

6-37

Chapter 6 Configuring Inspect Maps

Global Objects

Maximum Packet LengthEnter maximum packet length in bytes. Drop packets sent to client that exceed length indicated by the RRDrops packets sent to the client that exceed the length indicated by the Resource Record.

Mismatch RateTab that lets you configure the ID mismatch rate for DNS.
Enable Logging when DNS ID mismatch rate exceeds specified rateReports excessive

instances of DNS identifier mismatches. Mismatch Instance ThresholdEnter the maximum number of mismatch instances before a system message log is sent. Time IntervalEnter the time period to monitor (in seconds).

InspectionsTab that shows you the DNS inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the DNS inspection. ValueShows the value to match in the DNS inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add DNS Inspect dialog box to add a DNS inspection. EditOpens the Edit DNS Inspect dialog box to edit a DNS inspection. DeleteDeletes a DNS inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Inspect


The Add/Edit DNS Inspect dialog box lets you define the match criterion and value for the DNS inspect map.
Fields

Single MatchSpecifies that the DNS inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of DNS traffic to match.


Header FlagMatch a DNS flag in the header.

Cisco ASDM User Guide

6-38

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

TypeMatch a DNS query or resource record type. ClassMatch a DNS query or resource record class. QuestionMatch a DNS question. Resource RecordMatch a DNS resource record. Domain NameMatch a domain name from a DNS query or resource record.

Header Flag Criterion ValuesSpecifies the value details for DNS header flag match.
Match OptionSpecifies either an exact match or match all bits (bit mask match). Match ValueSpecifies to match either the header flag name or the header flag value.

Header Flag NameLets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits. Header Flag ValueLets you enter an arbitrary 16-bit value in hex to match.

Type Criterion ValuesSpecifies the value details for DNS type match.
DNS Type Field NameLists the DNS types to select.

AIPv4 address NSAuthoritative name server CNAMECanonical name SOAStart of a zone of authority TSIGTransaction signature IXFRIncremental (zone) transfer AXFRFull (zone) transfer
DNS Type Field ValueSpecifies to match either a DNS type field value or a DNS type field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Class Criterion ValuesSpecifies the value details for DNS class match.
DNS Class Field NameSpecifies to match on internet, the DNS class field name. DNS Class Field ValueSpecifies to match either a DNS class field value or a DNS class field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Question Criterion ValuesSpecifies to match on the DNS question section. Resource Record Criterion ValuesSpecifies to match on the DNS resource record section.
Resource Record Lists the sections to match.

AdditionalDNS additional resource record AnswerDNS answer resource record AuthorityDNS authority resource record

Domain Name Criterion ValuesSpecifies to match on DNS domain name.


Regular ExpressionLists the defined regular expressions to match.

Cisco ASDM User Guide OL-10106-04

6-39

Chapter 6 Configuring Inspect Maps

Global Objects

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the DNS inspection.


DNS Traffic ClassSpecifies the DNS traffic class match. ManageOpens the Manage DNS Class Maps dialog box to add, edit, or delete DNS Class

Maps.

ActionsPrimary action and log settings.


Primary ActionMask, drop packet, drop connection, none. LogEnable or disable. Enforce TSIGDo not enforce, drop packet, log, drop packet and log.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Class Maps


The Manage Class Map dialog box lets you configure class maps for inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, Instant Messaging (IM), and SIP.
Fields

NameShows the class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the class map. ValueShows the value to match in the class map.

DescriptionShows the description of the class map. AddAdds match conditions for the class map. EditEdits match conditions for the class map. DeleteDeletes match conditions for the class map.

Cisco ASDM User Guide

6-40

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map


The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection. Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
LowDefault.

Log if command line length is greater than 512 Log if command recipient count is greater than 100 Log if body line length is greater than 1000 Log if sender address length is greater than 320 Log if MIME file name length is greater than 255
Medium

Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255
High

Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if sender address length is greater than 320

Cisco ASDM User Guide OL-10106-04

6-41

Chapter 6 Configuring Inspect Maps

Global Objects

Drop Connections and log if MIME file name length is greater than 255
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low. MIME File Type FilteringOpens the MIME Type Filtering dialog box to configure MIME file

type filters.

ESMTP Inspect MapsTable that lists the defined ESMTP inspect maps. The defined inspect maps are also listed in the ESMTP area of the Inspect Maps tree. AddAdds the new ESMTP inspect map to the defined list in the ESMTP Inspect Maps table and to the ESMTP area of the Inspect Maps tree. To configure the new ESMTP map, select the ESMTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the ESMTP Inspect Maps table and from the ESMTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured ESMTP application inspection maps.
Fields

SettingsSpecifies ESMTP security settings and actions.


Mask server bannerEnforces banner obfuscation. Configure Mail RelayEnables ESMTP mail relay.

Domain NameSpecifies a local domain. ActionDrop connection or log. LogEnable or disable.


Check for command line lengthEnables command line length matching at specified length.

Minimum LengthShows the minimum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for command recipient countEnables command recipient count matching at specified

count. Minimum CountShows the minimum count configured. ActionReset, drop connection, log.

Cisco ASDM User Guide

6-42

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

LogEnable or disable.
Check for body line lengthEnables body line length matching at specified length.

Minimum LengthShows the minimum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for sender address lengthEnables sender address length matching at specified length.

Minimum LengthShows the minimum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for MIME file name lengthEnables MIME file name length matching at specified

length. Minimum LengthShows the minimum length configured. ActionReset, drop connection, log. LogEnable or disable.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MIME File Type Filtering


The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add MIME File Type Filter dialog box to add a MIME file type filter. EditOpens the Edit MIME File Type Filter dialog box to edit a MIME file type filter. DeleteDeletes a MIME file type filter.

Cisco ASDM User Guide OL-10106-04

6-43

Chapter 6 Configuring Inspect Maps

Global Objects

Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map Basic View


The ESMTP Inspect Map Basic View pane shows the configured settings for the ESMTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured ESMTP map. DescriptionEnter the description of the ESMTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

MIME File Type FilteringOpens the MIME Type Filtering dialog box to configure MIME file type filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map Advanced View


The ESMTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured ESMTP map. DescriptionEnter the description of the ESMTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the ESMTP inspect map.

Cisco ASDM User Guide

6-44

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Mask server bannerEnforces banner obfuscation. Encrypted Packet InspectionConfigures encrypted traffic inspection options.

Disable Inspection for encrypted traffic (over TLS) on an ESMTP SessionDisables encrypted traffic inspection. Enable Logging for encrypted trafficEnables logging if encrypted traffic inspection is disabled.

FilteringTab that lets you configure the parameters for the ESMTP inspect map.
Configure Mail RelayEnables ESMTP mail relay.

Domain NameSpecifies a local domain. ActionDrop connection or log. LogEnable or disable.


Check for special characters PIPE(|), backquote(), NUL in sender or recipient

addressChecks for PIPE and backquote characters. ActionDrop connection or log. LogEnable or disable.

InspectionsTab that shows you the ESMTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the ESMTP inspection. ValueShows the value to match in the ESMTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add ESMTP Inspect dialog box to add an ESMTP inspection. EditOpens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection. DeleteDeletes an ESMTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit ESMTP Inspect


The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.

Cisco ASDM User Guide OL-10106-04

6-45

Chapter 6 Configuring Inspect Maps

Global Objects

Fields

Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of ESMTP traffic to match.


Body LengthMatch body length at specified length in bytes. Body Line LengthMatch body line length matching at specified length in bytes. CommandsMatch commands exchanged in the ESMTP protocol. Command Recipient CountMatch command recipient count greater than number specified. Command Line LengthMatch command line length greater than length specified in bytes. EHLO Reply ParametersMatch an ESMTP ehlo reply parameter. Header LengthMatch header length at length specified in bytes. Header To Fields CountMatch header To fields count greater than number specified. Invalid Recipients CountMatch invalid recipients count greater than number specified. MIME File TypeMatch MIME file type. MIME Filename LengthMatch MIME filename. MIME EncodingMatch MIME encoding. Sender AddressMatch sender email address. Sender Address LengthMatch sender email address length.

Body Length Criterion ValuesSpecifies the value details for body length match.
Greater Than LengthBody length in bytes. ActionReset, drop connection, log. LogEnable or disable.

Body Line Length Criterion ValuesSpecifies the value details for body line length match.
Greater Than LengthBody line length in bytes. ActionReset, drop connection, log. LogEnable or disable.

Commands Criterion ValuesSpecifies the value details for command match.


Available Commands Table:

AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT

Cisco ASDM User Guide

6-46

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

RCPT RSET SAML SOML VRFY


AddAdds the selected command from the Available Commands table to the Selected

Commands table.
RemoveRemoves the selected command from the Selected Commands table. Primary ActionMask, Reset, Drop Connection, None, Limit Rate (pps). LogEnable or disable. Rate LimitDo not limit rate, Limit Rate (pps).

Command Recipient Count Criterion ValuesSpecifies the value details for command recipient count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

Command Line Length Criterion ValuesSpecifies the value details for command line length.
Greater Than LengthCommand line length in bytes. ActionReset, drop connection, log. LogEnable or disable.

EHLO Reply Parameters Criterion ValuesSpecifies the value details for EHLO reply parameters match.
Available Parameters Table:

8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy
AddAdds the selected parameter from the Available Parameters table to the Selected

Parameters table.
RemoveRemoves the selected command from the Selected Commands table. ActionReset, Drop Connection, Mask, Log. LogEnable or disable.

Cisco ASDM User Guide OL-10106-04

6-47

Chapter 6 Configuring Inspect Maps

Global Objects

Header Length Criterion ValuesSpecifies the value details for header length match.
Greater Than LengthHeader length in bytes. ActionReset, Drop Connection, Mask, Log. LogEnable or disable.

Header To Fields Count Criterion ValuesSpecifies the value details for header To fields count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

Invalid Recipients Count Criterion ValuesSpecifies the value details for invalid recipients count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

MIME File Type Criterion ValuesSpecifies the value details for MIME file type match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionReset, drop connection, log. LogEnable or disable.

MIME Filename Length Criterion ValuesSpecifies the value details for MIME filename length match.
Greater Than LengthMIME filename length in bytes. ActionReset, Drop Connection, Log. LogEnable or disable.

MIME Encoding Criterion ValuesSpecifies the value details for MIME encoding match.
Available Encodings table

7bit 8bit base64 binary others quoted-printable


AddAdds the selected parameter from the Available Encodings table to the Selected

Encodings table.
RemoveRemoves the selected command from the Selected Commands table.

Cisco ASDM User Guide

6-48

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

ActionReset, Drop Connection, Log. LogEnable or disable.

Sender Address Criterion ValuesSpecifies the value details for sender address match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionReset, Drop Connection, Log. LogEnable or disable.

Sender Address Length Criterion ValuesSpecifies the value details for sender address length match.
Greater Than LengthSender address length in bytes. ActionReset, Drop Connection, Log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Inspect Map


The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection. FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation. Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (medium or low).
Low

Cisco ASDM User Guide OL-10106-04

6-49

Chapter 6 Configuring Inspect Maps

Global Objects

Mask Banner Disabled Mask Reply Disabled


MediumDefault.

Mask Banner Enabled Mask Reply Enabled


CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. File Type FilteringOpens the Type Filtering dialog box to configure file type filters.

FTP Inspect MapsTable that lists the defined FTP inspect maps. The defined inspect maps are also listed in the FTP area of the Inspect Maps tree. AddAdds the new FTP inspect map to the defined list in the FTP Inspect Maps table and to the FTP area of the Inspect Maps tree. To configure the new FTP map, select the FTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the FTP Inspect Maps table and from the FTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.
Fields

SettingsSpecifies FTP security settings and actions.


Mask greeting banner from the serverMasks the greeting banner from the FTP server to

prevent the client from discovering server information.


Mask reply to SYST commandMasks the reply to the syst command to prevent the client from

discovering server information.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is medium.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-50

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Type Filtering


The File Type Filtering dialog box lets you configure the settings for a file type filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add File Type Filter dialog box to add a file type filter. EditOpens the Edit File Type Filter dialog box to edit a file type filter. DeleteDeletes a file type filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Inspect Map Basic View


The FTP Inspect Map Basic View pane shows the configured settings for the FTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured FTP map. DescriptionEnter the description of the FTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Cisco ASDM User Guide OL-10106-04

6-51

Chapter 6 Configuring Inspect Maps

Global Objects

File Type FilteringOpens the Type Filtering dialog box to configure file type filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Inspect Map Advanced View


The FTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured FTP map. DescriptionEnter the description of the FTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the FTP inspect map.
Mask greeting banner from the serverMasks the greeting banner from the FTP server to

prevent the client from discovering server information.


Mask reply to SYST commandMasks the reply to the syst command to prevent the client from

discovering server information.

InspectionsTab that shows you the FTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the FTP inspection. ValueShows the value to match in the FTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add FTP Inspect dialog box to add an FTP inspection. EditOpens the Edit FTP Inspect dialog box to edit an FTP inspection. DeleteDeletes an FTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-52

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit FTP Map


The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the DNS inspect map.
Fields

Single MatchSpecifies that the FTP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of FTP traffic to match.


Request CommandMatch an FTP request command. File NameMatch a filename for FTP transfer. File TypeMatch a file type for FTP transfer. ServerMatch an FTP server. User NameMatch an FTP user.

Request Command Criterion ValuesSpecifies the value details for FTP request command match.
Request Command:

APPECommand that appends to a file. CDUPCommand that changes to the parent directory of the current working directory. DELECommand that deletes a file. GETCommand that gets a file. HELPCommand that provides help information. MKDCommand that creates a directory. PUTCommand that sends a file. RMDCommand that deletes a directory. RNFRCommand that specifies rename-from filename. RNTOCommand that specifies rename-to filename. SITECommands that are specific to the server system. Usually used for remote administration. STOUCommand that stores a file using a unique filename.

File Name Criterion ValuesSpecifies the value details for FTP filename match.
Regular ExpressionLists the defined regular expressions to match.

Cisco ASDM User Guide OL-10106-04

6-53

Chapter 6 Configuring Inspect Maps

Global Objects

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

File Type Criterion ValuesSpecifies the value details for FTP file type match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Server Criterion ValuesSpecifies the value details for FTP server match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

User Name Criterion ValuesSpecifies the value details for FTP user name match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the FTP inspection.


FTP Traffic ClassSpecifies the FTP traffic class match. ManageOpens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class

Maps.

ActionReset. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-54

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

GTP Inspect Map


The GTP pane lets you view previously configured GTP application inspection maps. A GTP map lets you change the default configuration values used for GTP application inspection. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.

Note

GTP inspection is not available without a special license.

Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSecurity level low only.
Do not Permit Errors Maximum Number of Tunnels: 500 GSN timeout: 00:30:00 Pdp-Context timeout: 00:30:00 Request timeout: 00:01:00 Signaling timeout: 00:30:00. Tunnel timeout: 01:00:00. T3-response timeout: 00:00:20. Drop and log unknown message IDs.

CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default. IMSI Prefix FilteringOpens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters. GTP Inspect MapsTable that lists the defined GTP inspect maps. The defined inspect maps are also listed in the GTP area of the Inspect Maps tree. AddAdds the new GTP inspect map to the defined list in the GTP Inspect Maps table and to the GTP area of the Inspect Maps tree. To configure the new GTP map, select the GTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the GTP Inspect Maps table and from the GTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-55

Chapter 6 Configuring Inspect Maps

Global Objects

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.
Fields

Permit ErrorsLets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped. Drop and Log unknown message IDsDrops and logs all message IDs that are unknown. Maximum Number of RequestsLets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999. Maximum Number of TunnelsLets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit. Timeouts
GSN timeoutLets you change the default for the maximum period of inactivity before a GSN

is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
PDP-Context timeoutLets you change the default for the maximum period of inactivity before

receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
Request QueueLets you change the default for the maximum period of inactivity before

receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
SignalingLets you change the default for the maximum period of inactivity before a GTP

signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
TunnelLets you change the default for the maximum period of inactivity for the GTP tunnel.

The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeoutSpecifies the GTP Request idle timeout.
T3-Response timeoutSpecifies the maximum wait time for a response before removing the

connection.

Reset toSpecifies low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

6-56

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IMSI Prefix Filtering


The IMSI Prefix tab lets you define the IMSI prefix to allow within GTP requests.
Fields

Mobile Country CodeDefines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value. Mobile Network CodeDefines the two or three-digit value identifying the network code. AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

GTP Inspect Map Basic View


The GTP Inspect Map Basic View pane shows the configured settings for the GTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured GTP map. DescriptionEnter the description of the GTP map, up to 200 characters in length.

Cisco ASDM User Guide OL-10106-04

6-57

Chapter 6 Configuring Inspect Maps

Global Objects

Security LevelShows the current security settings.


CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

IMSI Prefix FilteringOpens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

GTP Inspect Map Advanced View


The GTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured GTP map. DescriptionEnter the description of the GTP map, up to 200 characters in length. Permit ParametersTab that lets you configure the permit parameters for the GTP inspect map.
Object Groups to Add

From object groupSpecify an object group or use the browse button to open the Add Network Object Group dialog box. To object groupSpecify an object group or use the browse button to open the Add Network Object Group dialog box.
AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table. Permit ErrorsLets any packets that are invalid or that encountered an error during inspection

to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

General ParametersTab that lets you configure the general parameters for the GTP inspect map.
Maximum Number of RequestsLets you change the default for the maximum request queue

size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.
Maximum Number of TunnelsLets you change the default for the maximum number of

tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.
Timeouts

Cisco ASDM User Guide

6-58

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

GSN timeoutLets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. PDP-Context timeoutLets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. Request QueueLets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. SignalingLets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. TunnelLets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeoutSpecifies the GTP Request idle timeout. T3-Response timeoutSpecifies the maximum wait time for a response before removing the connection.

IMSI Prefix FilteringTab that lets you configure the IMSI prefix filtering for the GTP inspect map.
Mobile Country CodeDefines the non-zero, three-digit value identifying the mobile country

code. One or two-digit entries will be prepended by 0 to create a three-digit value.


Mobile Network CodeDefines the two or three-digit value identifying the network code. AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table.

InspectionsTab that lets you configure the GTP inspect maps.


Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the GTP inspection. ValueShows the value to match in the GTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add GTP Inspect dialog box to add an GTP inspection. EditOpens the Edit GTP Inspect dialog box to edit an GTP inspection. DeleteDeletes an GTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

6-59

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit GTP Map


The Add/Edit GTP Inspect dialog box lets you define the match criterion and value for the GTP inspect map.
Fields

Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of GTP traffic to match.


Access Point NameMatch on access point name. Message IDMatch on the message ID. Message LengthMatch on the message length VersionMatch on the version.

Access Point Name Criterion ValuesSpecifies an access point name to be matched. By default, all messages with valid APNs are inspected, and any APN is allowed.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionDrop. LogEnable or disable.

Message ID Criterion ValuesSpecifies the numeric identifier for the message that you want to match. The valid range is 1 to 255. By default, all valid message IDs are allowed.
ValueSpecifies whether value is an exact match or a range.

EqualsEnter a value. RangeEnter a range of values.


ActionDrop packet or limit rate (pps). LogEnable or disable.

Message Length Criterion ValuesLets you change the default for the maximum message length for the UDP payload that is allowed.
Minimum valueSpecifies the minimum number of bytes in the UDP payload. The range is

from 1 to 65536.

Cisco ASDM User Guide

6-60

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Maximum valueSpecifies the maximum number of bytes in the UDP payload. The range is

from 1 to 65536.
ActionDrop packet. LogEnable or disable.

Version Criterion ValuesSpecifies the GTP version for messages that you want to match. The valid range is 0-255. Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 3386, while Version 1 uses port 2123. By default all GTP versions are allowed.
ValueSpecifies whether value is an exact match or a range.

EqualsEnter a value. RangeEnter a range of values.


ActionDrop packet. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map


The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection. H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, protocol state tracking, H.323 call duration enforcement, and audio/video control.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (low, medium, or high).
LowDefault.

State Checking h225 Disabled State Checking ras Disabled Call Party Number Disabled Call duration Limit Disabled RTP conformance not enforced
Medium

Cisco ASDM User Guide OL-10106-04

6-61

Chapter 6 Configuring Inspect Maps

Global Objects

State Checking h225 Enabled State Checking ras Enabled Call Party Number Disabled Call duration Limit Disabled RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: no
High

State Checking h225 Enabled State Checking ras Enabled Call Party Number Enabled Call duration Limit 1:00:00 RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. Phone Number FilteringOpens the Phone Number Filtering dialog box to configure phone

number filters.

H.323 Inspect MapsTable that lists the defined H.323 inspect maps. The defined inspect maps are also listed in the H.323 area of the Inspect Maps tree. AddAdds the new H.323 inspect map to the defined list in the H.323 Inspect Maps table and to the H.323 area of the Inspect Maps tree. To configure the new H.323 map, select the H.323 entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the H.323 Inspect Maps table and from the H.323 area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured H.323 application inspection maps.
Fields

SettingsSpecifies H.323 security settings and actions.


Check state transition of H.225 messagesEnforces H.323 state checking on H.225 messages.

Cisco ASDM User Guide

6-62

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Check state transition of RAS messagesEnforces H.323 state checking on RAS messages. Enforce call duration limitEnforces the absolute limit on a call.

Call Duration LimitTime limit for the call (hh:mm:ss).


Enforce presence of calling and called party numbersEnforces sending call party numbers

during call setup.


Check RTP packets for protocol conformanceChecks RTP/RTCP packets on the pinholes for

protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio or video based on the signaling exchange.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Phone Number Filtering


The Phone Number Filtering dialog box lets you configure the settings for a phone number filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Phone Number Filter dialog box to add a phone number filter. EditOpens the Edit Phone Number Filter dialog box to edit a phone number filter. DeleteDeletes a phone number filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

6-63

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map Basic View


The H323 Inspect Map Basic View pane shows the configured settings for the H323 inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured H323 map. DescriptionEnter the description of the H323 map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Phone Number FilteringOpens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map Advanced View


The H.323 Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured H.323 map. DescriptionEnter the description of the H.323 map, up to 200 characters in length. State CheckingTab that lets you configure state checking parameters for the H.323 inspect map.
Check state transition of H.225 messagesEnforces H.323 state checking on H.225 messages. Check state transition of RAS messagesEnforces H.323 state checking on RAS messages.

Call AttributesTab that lets you configure call attributes parameters for the H.323 inspect map.
Enforce call duration limitEnforces the absolute limit on a call.

Cisco ASDM User Guide

6-64

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Call Duration LimitTime limit for the call (hh:mm:ss).


Enforce presence of calling and called party numbersEnforces sending call party numbers

during call setup.

Tunneling and Protocol ConformanceTab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map.
Check for H.245 tunnelingAllows H.245 tunneling.

ActionDrop connection or log.


Check RTP packets for protocol conformanceChecks RTP/RTCP packets on the pinholes for

protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio or video based on the signaling exchange.

HSI Group ParametersTab that lets you configure an HSI group.


HSI Group IDShows the HSI Group ID. IP AddressShows the HSI Group IP address. EndpointsShows the HSI Group endpoints. AddOpens the Add HSI Group dialog box to add an HSI group. EditOpens the Edit HSI Group dialog box to edit an HSI group. DeleteDeletes an HSI group.

InspectionsTab that shows you the H.323 inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the H.323 inspection. ValueShows the value to match in the H.323 inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add H.323 Inspect dialog box to add an H.323 inspection. EditOpens the Edit H.323 Inspect dialog box to edit an H.323 inspection. DeleteDeletes an H.323 inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-65

Chapter 6 Configuring Inspect Maps

Global Objects

Add/Edit HSI Group


The Add/Edit HSI Group dialog box lets you configure HSI Groups.
Fields

Group IDEnter the HSI group ID. IP AddressEnter the HSI IP address. EndpointsLets you configure the IP address and interface of the endpoints.
IP AddressEnter an endpoint IP address. InterfaceSpecifies an endpoint interface.

AddAdds the HSI group defined. DeleteDeletes the selected HSI group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Map


The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map.
Fields

Single MatchSpecifies that the H.323 inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of H.323 traffic to match.


Called PartyMatch the called party. Calling PartyMatch the calling party. Media TypeMatch the media type.

Called Party Criterion ValuesSpecifies to match on the H.323 called party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match.

Cisco ASDM User Guide

6-66

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match on the H.323 calling party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Media Type Criterion ValuesSpecifies which media type to match.


AudioMatch audio type. VideoMatch video type. DataMatch data type.

Multiple MatchesSpecifies multiple matches for the H.323 inspection.


H323 Traffic ClassSpecifies the H.323 traffic class match. ManageOpens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class

Maps.

ActionDrop packet, drop connection, or reset.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map


The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection. HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance. HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length.

Cisco ASDM User Guide OL-10106-04

6-67

Chapter 6 Configuring Inspect Maps

Global Objects

Security LevelSelect the security level (low, medium, or high).


LowDefault.

Protocol violation action: Drop connection Drop connections for unsafe methods: Disabled Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured
Medium

Protocol violation action: Drop connection Drop connections for unsafe methods: Allow only GET, HEAD, and POST Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured
High

Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. URI FilteringOpens the URI Filtering dialog box to configure URI filters.

HTTP Inspect MapsTable that lists the defined HTTP inspect maps. The defined inspect maps are also listed in the HTTP area of the Inspect Maps tree. AddAdds the new HTTP inspect map to the defined list in the HTTP Inspect Maps table and to the HTTP area of the Inspect Maps tree. To configure the new HTTP map, select the HTTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the HTTP Inspect Maps table and from the HTTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-68

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured HTTP application inspection maps.
Fields

SettingsSpecifies HTTP security settings and actions.


Check for protocol violationsChecks for HTTP protocol violations.

ActionDrop Connection, Reset, Log. LogEnable or disable.


Drop connections for unsafe methodsChecks for unsafe methods and drops the connection.

Allow OnlyGET and HEAD, GET, HEAD, and POST.


Drop connections for requests with non-ASCII headersChecks for non-ASCII characters in

the message header.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

URI Filtering
The URI Filtering dialog box lets you configure the settings for an URI filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add URI Filtering dialog box to add a URI filter. EditOpens the Edit URI Filtering dialog box to edit a URI filter. DeleteDeletes an URI filter. Move UpMoves an entry up in the list.

Cisco ASDM User Guide OL-10106-04

6-69

Chapter 6 Configuring Inspect Maps

Global Objects

Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map Basic View


The HTTP Inspect Map Basic View pane shows the configured settings for the HTTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured HTTP map. DescriptionEnter the description of the HTTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

URI FilteringOpens the URI Filtering dialog box which lets you configure the settings for an URI filter. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map Advanced View


The HTTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured HTTP map. DescriptionEnter the description of the HTTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the HTTP inspect map.
Check for protocol violationsChecks for HTTP protocol violations.

Cisco ASDM User Guide

6-70

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

ActionDrop Connection, Reset, Log. LogEnable or disable.


Spoof server stringReplaces the server HTTP header value with the specified string.

Spoof StringEnter a string to substitute for the server header field. Maximum is 82 characters.
Body Match MaximumThe maximum number of characters in the body of an HTTP message

that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance.

InspectionsTab that shows you the HTTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the HTTP inspection. ValueShows the value to match in the HTTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add HTTP Inspect dialog box to add an HTTP inspection. EditOpens the Edit HTTP Inspect dialog box to edit an HTTP inspection. DeleteDeletes an HTTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Map


The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.
Fields

Single MatchSpecifies that the HTTP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of HTTP traffic to match.


Request/Response Content Type MismatchSpecifies that the content type in the response

must match one of the MIME types in the accept field of the request.
Request ArgumentsApplies the regular expression match to the arguments of the request.

Cisco ASDM User Guide OL-10106-04

6-71

Chapter 6 Configuring Inspect Maps

Global Objects

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Body LengthApplies the regular expression match to the body of the request with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request BodyApplies the regular expression match to the body of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header Field CountApplies the regular expression match to the header of the request

with a maximum number of header fields. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Request Header Field LengthApplies the regular expression match to the header of the

request with field length greater than the bytes specified. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request Header FieldApplies the regular expression match to the header of the request.

Cisco ASDM User Guide

6-72

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header CountApplies the regular expression match to the header of the request with

a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Request Header LengthApplies the regular expression match to the header of the request with

length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Request Header non-ASCIIMatches non-ASCII characters in the header of the request. Request MethodApplies the regular expression match to the method of the request.

MethodSpecifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request URI LengthApplies the regular expression match to the URI of the request with

length greater than the bytes specified. Greater Than LengthEnter a URI length value in bytes.
Request URIApplies the regular expression match to the URI of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response BodyApplies the regex match to the body of the response.

Cisco ASDM User Guide OL-10106-04

6-73

Chapter 6 Configuring Inspect Maps

Global Objects

ActiveXSpecifies to match on ActiveX. Java AppletSpecifies to match on a Java Applet. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Body LengthApplies the regular expression match to the body of the response with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header Field CountApplies the regular expression match to the header of the

response with a maximum number of header fields. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Response Header Field LengthApplies the regular expression match to the header of the

response with field length greater than the bytes specified. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header FieldApplies the regular expression match to the header of the response.

PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match.

Cisco ASDM User Guide

6-74

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Header CountApplies the regular expression match to the header of the response

with a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Response Header LengthApplies the regular expression match to the header of the response

with length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Response Header non-ASCIIMatches non-ASCII characters in the header of the response. Response Status LineApplies the regular expression match to the status line.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple MatchesSpecifies multiple matches for the HTTP inspection.


H323 Traffic ClassSpecifies the HTTP traffic class match. ManageOpens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class

Maps.

ActionDrop connection, reset, or log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Instant Messaging (IM) Inspect Map


The IM pane lets you view previously configured Instant Messaging (IM) application inspection maps. An Instant Messaging (IM) map lets you change the default configuration values used for Instant Messaging (IM) application inspection.

Cisco ASDM User Guide OL-10106-04

6-75

Chapter 6 Configuring Inspect Maps

Global Objects

Instant Messaging (IM) application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and propagations of network threats. A regular expression database search representing various patterns for Instant Messaging (IM) protocols to be filtered is applied. A syslog is generated if the flow is not recognized. The scope can be limited by using an access list to specify any traffic streams to be inspected. For UDP messages, a corresponding UDP port number is also configurable. Inspection of Yahoo! Messenger and MSN Messenger instant messages are supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. IM Inspect MapsTable that lists the defined IM inspect maps. The defined inspect maps are also listed in the IM area of the Inspect Maps tree. AddAdds the new IM inspect map to the defined list in the IM Inspect Maps table and to the IM area of the Inspect Maps tree. To configure the new IM map, select the IM entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the IM Inspect Maps table and from the IM area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Instant Messaging (IM) Inspect Map View


The IM Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured IM map. DescriptionEnter the description of the IM map, up to 200 characters in length. Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the IM inspection. ValueShows the value to match in the IM inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add IM Inspect dialog box to add an IM inspection. EditOpens the Edit IM Inspect dialog box to edit an IM inspection. DeleteDeletes an IM inspection. Move UpMoves an inspection up in the list.

Cisco ASDM User Guide

6-76

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Map
The Add/Edit IM Inspect dialog box lets you define the match criterion and value for the IM inspect map.
Fields

Single MatchSpecifies that the IM inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of IM traffic to match.


ProtocolMatch IM protocols. ServiceMatch IM services. Source IP AddressMatch source IP address. Destination IP AddressMatch destination IP address. VersionMatch IM file transfer service version. Client Login NameMatch client login name from IM service. Client Peer Login NameMatch client peer login name from IM service. FilenameMatch filename form IM file transfer service.

Protocol Criterion ValuesSpecifies which IM protocols to match.


Yahoo! MessengerSpecifies to match Yahoo! Messenger instant messages. MSN MessengerSpecifies to match MSN Messenger instant messages.

Service Criterion ValuesSpecifies which IM services to match.


ChatSpecifies to match IM message chat service. ConferenceSpecifies to match IM conference service. File TransferSpecifies to match IM file transfer service. GamesSpecifies to match IM gaming service. Voice ChatSpecifies to match IM voice chat service (not available for Yahoo IM) Web CamSpecifies to match IM webcam service.

Source IP Address Criterion ValuesSpecifies to match the source IP address of the IM service.
IP AddressEnter the source IP address of the IM service.

Cisco ASDM User Guide OL-10106-04

6-77

Chapter 6 Configuring Inspect Maps

Global Objects

IP MaskMask of the source IP address.

Destination IP Address Criterion ValuesSpecifies to match the destination IP address of the IM service.
IP AddressEnter the destination IP address of the IM service. IP MaskMask of the destination IP address.

Version Criterion ValuesSpecifies to match the version from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Login Name Criterion ValuesSpecifies to match the client login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Peer Login Name Criterion ValuesSpecifies to match the client peer login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Filename Criterion ValuesSpecifies to match the filename from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the IM inspection.


IM Traffic ClassSpecifies the IM traffic class match. ManageOpens the Manage IM Class Maps dialog box to add, edit, or delete IM Class Maps.

ActionDrop connection, reset, or log.

Cisco ASDM User Guide

6-78

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IPSec Pass Through Inspect Map


The IPSec Pass Through pane lets you view previously configured IPSec Pass Through application inspection maps. An IPSec Pass Through map lets you change the default configuration values used for IPSec Pass Through application inspection. You can use an IPSec Pass Through map to permit certain flows without using an access list.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00.
High

Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

IPSec Pass Through Inspect MapsTable that lists the defined IPSec Pass Through inspect maps. The defined inspect maps are also listed in the IPSec Pass Through area of the Inspect Maps tree. AddAdds the new IPSec Pass Through inspect map to the defined list in the IPSec Pass Through Inspect Maps table and to the IPSec Pass Through area of the Inspect Maps tree. To configure the new IPSec Pass Through map, select the IPSec Pass Through entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the IPSec Pass Through Inspect Maps table and from the IPSec Pass Through area of the Inspect Maps tree.

Cisco ASDM User Guide OL-10106-04

6-79

Chapter 6 Configuring Inspect Maps

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured IPSec Pass Through application inspection maps.
Fields

SettingsSpecifies IPSec Pass Through security settings and actions.


Limit ESP flows per clientLimits ESP flows per client.

MaximumSpecify maximum limit.


Apply ESP idle timeoutApplies ESP idle timeout.

TimeoutSpecify timeout.
Limit AH flows per clientLimits AH flows per client.

MaximumSpecify maximum limit.


Apply AH idle timeoutApplies AH idle timeout.

TimeoutSpecify timeout.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IPSec Pass Through Inspect Map Basic View


The IPSec Pass Through Inspect Map Basic View pane lets you configure basic settings for the inspect map.

Cisco ASDM User Guide

6-80

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Fields

DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00.
High

Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IPSec Pass Through Inspect Map Advanced View


The IPSec Pass Through Inspect Map Advanced View pane lets you configure advanced settings for the inspect map.
Fields

NameShows the name of the previously configured IPSec Pass Through map. DescriptionEnter the description of the IPSec Pass Through map, up to 200 characters in length. Limit ESP flows per clientLimits ESP flows per client.
MaximumSpecify maximum limit.

Apply ESP idle timeoutApplies ESP idle timeout.


TimeoutSpecify timeout.

Limit AH flows per clientLimits AH flows per client.


MaximumSpecify maximum limit.

Apply AH idle timeoutApplies AH idle timeout.


TimeoutSpecify timeout.

Cisco ASDM User Guide OL-10106-04

6-81

Chapter 6 Configuring Inspect Maps

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MGCP Inspect Map


The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Command Queue SizeSpecifies the maximum number of commands to queue. The valid range is from 1 to 2147483647. Gateways and Call AgentsOpens the Gateways and Call Agents dialog box to add an MGCP map. MGCP Inspect MapsTable that lists the defined MGCP inspect maps. The defined inspect maps are also listed in the MGCP area of the Inspect Maps tree. AddAdds the new MGCP inspect map to the defined list in the MGCP Inspect Maps table and to the MGCP area of the Inspect Maps tree. To configure the new MGCP map, select the MGCP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the MGCP Inspect Maps table and from the MGCP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Gateways and Call Agents


The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map.

Cisco ASDM User Guide

6-82

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Fields

Group IDIdentifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647CriterionShows the criterion of the inspection. GatewaysIdentifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727. Call AgentsIdentifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427. AddDisplays the Add MGCP dialog box, which you can use to define a new application inspection map. EditDisplays the Edit MGCP dialog box, which you can use to modify the application inspection map selected in the application inspection map table. DeleteDeletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MGCP Inspect Map View


The MGCP Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured MGCP map. DescriptionEnter the description of the MGCP map, up to 200 characters in length. Command QueueTab that lets you specify the permitted queue size for MGCP commands.
Command Queue SizeSpecifies the maximum number of commands to queue. The valid

range is from 1 to 2147483647.

Gateways and Call AgentsTab that lets you configure groups of gateways and call agents for this map.
Group IDIdentifies the ID of the call agent group. A call agent group associates one or more

call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647CriterionShows the criterion of the inspection.

Cisco ASDM User Guide OL-10106-04

6-83

Chapter 6 Configuring Inspect Maps

Global Objects

GatewaysIdentifies the IP address of the media gateway that is controlled by the associated

call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
Call AgentsIdentifies the IP address of a call agent that controls the MGCP media gateways

in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.
AddDisplays the Add MGCP Group dialog box, which you can use to define a new MGCP

group of gateways and call agents.


EditDisplays the Edit MGCP dialog box, which you can use to modify the MGCP group

selected in the Gateways and Call Agents table.


DeleteDeletes the MGCP group selected in the Gateways and Call Agents table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit MGCP Group


The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled.
Fields

Group IDSpecifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647. Gateways area
Gateway to Be AddedSpecifies the IP address of the media gateway that is controlled by the

associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
AddAdds the specified IP address to the IP address table. DeleteDeletes the selected IP address from the IP address table. IP AddressLists the IP addresses of the gateways in the call agent group.

Call Agents
Call Agent to Be AddedSpecifies the IP address of a call agent that controls the MGCP media

gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.
AddAdds the specified IP address to the IP address table.

Cisco ASDM User Guide

6-84

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

DeleteDeletes the selected IP address from the IP address table. IP AddressLists the IP addresses of the call agents in the call agent group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

NetBIOS Inspect Map


The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection. NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Check for protocol violationsChecks for protocol violations and executes specified action.
ActionDrop packet or log. LogEnable or disable.

NetBIOS Inspect MapsTable that lists the defined NetBIOS inspect maps. The defined inspect maps are also listed in the NetBIOS area of the Inspect Maps tree. AddAdds the new NetBIOS inspect map to the defined list in the NetBIOS Inspect Maps table and to the NetBIOS area of the Inspect Maps tree. To configure the new NetBIOS map, select the NetBIOS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the NetBIOS Inspect Maps table and from the NetBIOS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-85

Chapter 6 Configuring Inspect Maps

Global Objects

NetBIOS Inspect Map View


The NetBIOS Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured NetBIOS map. DescriptionEnter the description of the NetBIOS map, up to 200 characters in length. Check for protocol violationsChecks for protocol violations and executes specified action.
ActionDrop packet or log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RADIUS Inspect Map


The RADIUS pane lets you view previously configured RADIUS application inspection maps. A RADIUS map lets you change the default configuration values used for RADIUS application inspection. ou can use a RADIUS map to protect against an overbilling attack.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. RADIUS Inspect MapsTable that lists the defined RADIUS inspect maps. The defined inspect maps are also listed in the RADIUS area of the Inspect Maps tree. AddAdds the new RADIUS inspect map to the defined list in the RADIUS Inspect Maps table and to the RADIUS area of the Inspect Maps tree. To configure the new RADIUS map, select the RADIUS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the RADIUS Inspect Maps table and from the RADIUS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-86

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

RADIUS Inspect Map Host


The RADIUS Inspect Map Host Parameters pane lets you configure the host parameter settings for the inspect map.
Fields

NameShows the name of the previously configured RADIUS accounting map. DescriptionEnter the description of the RADIUS accounting map, up to 200 characters in length. Host ParametersLets you configure host parameters.
Host IP AddressSpecify the IP address of the host that is sending the RADIUS messages. Key: (optional)Specify the key.

AddAdds the host entry to the Host table. DeleteDeletes the host entry from the Host table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RADIUS Inspect Map Other


The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map.
Fields

NameShows the name of the previously configured RADIUS accounting map. DescriptionEnter the description of the RADIUS accounting map, up to 200 characters in length. Other ParametersLets you configure additional parameters.
Attribute NumberSpecify the attribute number to validate when an Accounting Start is

received.

AddAdds the entry to the Attribute table. DeleteDeletes the entry from the Attribute table. Send response to the originator of the RADIUS messageSends a message back to the host from which the RADIUS message was sent. Enforce timeoutEnables the timeout for users.
Users TimeoutTimeout for the users in the database (hh:mm:ss).

Enable detection of GPRS accountingEnables detection of GPRS accounting. This option is only available when GTP/GPRS license is enabled.

Cisco ASDM User Guide OL-10106-04

6-87

Chapter 6 Configuring Inspect Maps

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SCCP (Skinny) Inspect Map


The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps. An SCCP (Skinny) map lets you change the default configuration values used for SCCP (Skinny) application inspection. Skinny application inspection performs translation of embedded IP address and port numbers within the packet data, and dynamic opening of pinholes. It also performs additional protocol conformance checks and basic state tracking.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Registration: Not enforced. Maximum message ID: 0x181. Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced.
Medium

Registration: Not enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No.
High

Registration: Enforced. Maximum message ID: 0x141. Minimum prefix length: 4.

Cisco ASDM User Guide

6-88

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Maximum prefix length: 65536. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

Message ID FilteringOpens the Messaging ID Filtering dialog box for configuring message ID filters. SCCP (Skinny) Inspect MapsTable that lists the defined SCCP (Skinny) inspect maps. The defined inspect maps are also listed in the SCCP (Skinny) area of the Inspect Maps tree. AddAdds the new SCCP (Skinny) inspect map to the defined list in the SCCP (Skinny) Inspect Maps table and to the SCCP (Skinny) area of the Inspect Maps tree. To configure the new SCCP (Skinny) map, select the SCCP (Skinny) entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the SCCP (Skinny) Inspect Maps table and from the SCCP (Skinny) area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured SCCP (Skinny) application inspection maps.
Fields

SettingsSpecifies SCCP (Skinny) security settings and actions.


Enforce endpoint registrationEnforce that Skinny endpoints are registered before placing or

receiving calls. Maximum Message IDSpecify value of maximum SCCP message ID allowed (0x0 to 0xffff).
SCCP Prefix LengthSpecifies prefix length value in Skinny messages (4 to 4,294,967,295).

Minimum Prefix LengthSpecify minimum value of SCCP prefix length allowed. Maximum Prefix LengthSpecify maximum value of SCCP prefix length allowed.
Enable media timeoutEnables media timeout.

Media TimeoutSpecify timeout value for media connections (0:0:01 to 1993:0:0).


Enable signaling timeoutEnables signaling timeout.

Cisco ASDM User Guide OL-10106-04

6-89

Chapter 6 Configuring Inspect Maps

Global Objects

Signaling TimeoutSpecify timeout value for signaling connections (0:0:01 to 1993:0:0).


Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio/video based on the signaling exchange.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Message ID Filtering
The Message ID Filtering dialog box lets you configure the settings for a message ID filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Message ID Filtering dialog box to add a message ID filter. EditOpens the Edit Message ID Filtering dialog box to edit a message ID filter. DeleteDeletes a message ID filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-90

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

SCCP (Skinny) Inspect Map Basic View


The SCCP (Skinny) Inspect Map Basic View pane shows the configured settings for the SCCP (Skinny) inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured SCCP (Skinny) map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default. Message ID FilteringOpens the Messaging ID Filtering dialog box for configuring message

ID filters.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SCCP (Skinny) Inspect Map Advanced View


The SCCP (Skinny) Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured SCCP (Skinny) map. DescriptionEnter the description of the DNS map, up to 200 characters in length. ParametersTab that lets you configure the parameter settings for SCCP (Skinny).
Enforce endpoint registrationEnforce that Skinny endpoints are registered before placing or

receiving calls. Maximum Message IDSpecify value of maximum SCCP message ID allowed.
SCCP Prefix LengthSpecifies prefix length value in Skinny messages.

Minimum Prefix LengthSpecify minimum value of SCCP prefix length allowed. Maximum Prefix LengthSpecify maximum value of SCCP prefix length allowed.
Media TimeoutSpecify timeout value for media connections. Signaling TimeoutSpecify timeout value for signaling connections.

RTP ConformanceTab that lets you configure the RTP conformance settings for SCCP (Skinny).

Cisco ASDM User Guide OL-10106-04

6-91

Chapter 6 Configuring Inspect Maps

Global Objects

Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio/video based on the signaling exchange.

Message ID FilteringTab that lets you configure the message ID filtering settings for SCCP (Skinny).
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Message ID Filtering dialog box to add a message ID filter. EditOpens the Edit Message ID Filtering dialog box to edit a message ID filter. DeleteDeletes a message ID filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Message ID Filter


The Add Message ID Filter dialog box lets you configure message ID filters.
Fields

Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SCCP (Skinny) traffic to match.


Message IDMatch specified message ID.

Message IDSpecify value of maximum SCCP message ID allowed.


Message ID RangeMatch specified message ID range.

Lower Message IDSpecify lower value of SCCP message ID allowed. Upper Message IDSpecify upper value of SCCP message ID allowed.

ActionDrop packet.

Cisco ASDM User Guide

6-92

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Inspect Map


The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection. SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats. SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide servers and endpoints IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation.
Medium

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide servers and endpoints IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No

Cisco ASDM User Guide OL-10106-04

6-93

Chapter 6 Configuring Inspect Maps

Global Objects

SIP conformance: Drop packets that fail state checking.


High

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Hide servers and endpoints IP addresses: Disabled. Mask software version and non-SIP URIs: Enabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes SIP conformance: Drop packets that fail state checking and packets that fail header validation.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

SIP Inspect MapsTable that lists the defined SIP inspect maps. The defined inspect maps are also listed in the SIP area of the Inspect Maps tree. AddAdds the new SIP inspect map to the defined list in the SIP Inspect Maps table and to the SIP area of the Inspect Maps tree. To configure the new SIP map, select the SIP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the SIP Inspect Maps table and from the SIP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


The Customize Security Level dialog box lets you configure the security settings for previously configured SIP application inspection maps.
Fields

SettingsLets you configure additional SIP settings, including RTP and SIP conformance.
Enable SIP instant messaging (IM) extensionsEnables Instant Messaging extensions. Default

is enabled.
Permit non-SIP traffic on SIP portPermits non-SIP traffic on SIP port. Permitted by default. Hide servers and endpoints IP addressesEnables IP address privacy. Disabled by default. Mask software version and non-SIP URIsEnables non-SIP URI inspection in Alert-Info and

Call-Info headers.

Cisco ASDM User Guide

6-94

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Ensure that number of hops to destination is greater than 0Enables check for the value of

Max-Forwards header is zero.

RTP Conformance
Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces payload type to be audio/video based on the signaling exchange.

SIP Conformance
Do not perform state checking and header validationDisables SIP state checking. Drop packets that fail state checkingDrops packets that fail state checking. Drop connections that fail state checking and packets that fail header validationDrops

connections that fail state checking and packets that fail header validation of SIP messages.

Reset to Predefined Security LevelResets the security level settings to the predefined levels of high, medium, or low.
Reset ToResets the security level to high, medium, or low.

ResetResets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.CriterionSpecifies which criterion of SIP traffic to match.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Inspect Map Basic View


The SIP Inspect Map Basic View pane shows the configured settings for the SIP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured SIP map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

6-95

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Inspect Map Advanced View


The SIP Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured SIP map. DescriptionEnter the description of the DNS map, up to 200 characters in length. FilteringTab that lets you configure the filtering settings for SIP.
Enable SIP instant messaging (IM) extensionsEnables Instant Messaging extensions. Default

is enabled.
Permit non-SIP traffic on SIP portPermits non-SIP traffic on SIP port. Permitted by default.

IP Address PrivacyTab that lets you configure the IP address privacy settings for SIP.
Hide servers and endpoints IP addressesEnables IP address privacy. Disabled by default.

Hop CountTab that lets you configure the hop count settings for SIP.
Ensure that number of hops to destination is greater than 0Enables check for the value of

Max-Forwards header is zero. ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.

RTP ConformanceTab that lets you configure the RTP conformance settings for SIP.
Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces payload type to be audio/video based on the signaling exchange.

SIP ConformanceTab that lets you configure the SIP conformance settings for SIP.
Enable state transition checkingEnables SIP state checking.

ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.


Enable strict validation of header fieldsEnables validation of SIP header fields.

ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.

Field MaskingTab that lets you configure the field masking settings for SIP.
Inspect non-SIP URIsEnables non-SIP URI inspection in Alert-Info and Call-Info headers.

ActionMask or Log. LogEnable or Disable.

Cisco ASDM User Guide

6-96

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Inspect servers and endpoints software versionInspects SIP endpoint software version in

User-Agent and Server headers. ActionMask or Log. LogEnable or Disable.

InspectionsTab that shows you the SIP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the SIP inspection. ValueShows the value to match in the SIP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add SIP Inspect dialog box to add a SIP inspection. EditOpens the Edit SIP Inspect dialog box to edit a SIP inspection. DeleteDeletes a SIP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SIP Inspect


The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map.
Fields

Single MatchSpecifies that the SIP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SIP traffic to match.


Called PartyMatch a called party as specified in the To header. Calling PartyMatch a calling party as specified in the From header. Content LengthMatch a content length header. Content TypeMatch a content type header. IM SubscriberMatch a SIP IM subscriber.

Cisco ASDM User Guide OL-10106-04

6-97

Chapter 6 Configuring Inspect Maps

Global Objects

Message PathMatch a SIP Via header. Request MethodMatch a SIP request method. Third-Party RegistrationMatch the requester of a third-party registration. URI LengthMatch a URI in the SIP headers.

Called Party Criterion ValuesSpecifies to match the called party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match the calling party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Content Length Criterion ValuesSpecifies to match a SIP content header of a length greater than specified.
Greater Than LengthEnter a header length value in bytes.

Content Type Criterion ValuesSpecifies to match a SIP content header type.


SDPMatch an SDP SIP content header type. Regular ExpressionMatch a regular expression.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion ValuesSpecifies to match the IM subscriber. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Cisco ASDM User Guide

6-98

OL-10106-04

Chapter 6

Global Objects Configuring Inspect Maps

Message Path Criterion ValuesSpecifies to match a SIP Via header. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Request Method Criterion ValuesSpecifies to match a SIP request method.


Request MethodSpecifies a request method: ack, bye, cancel, info, invite, message, notify,

options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion ValuesSpecifies to match the requester of a third-party registration. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

URI Length Criterion ValuesSpecifies to match a URI in the SIP headers greater than specified length.
URI typeSpecifies to match either SIP URI or TEL URI. Greater Than LengthLength in bytes.

Multiple MatchesSpecifies multiple matches for the SIP inspection.


SIP Traffic ClassSpecifies the SIP traffic class match. ManageOpens the Manage SIP Class Maps dialog box to add, edit, or delete SIP Class Maps.

ActionsPrimary action and log settings.


ActionDrop packet, drop connection, reset, log. Note: Limit rate (pps) action is available for

request methods invite and register.


LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-99

Chapter 6 Configuring Inspect Maps

Global Objects

SNMP Inspect Map


The SNMP pane lets you view previously configured SNMP application inspection maps. An SNMP map lets you change the default configuration values used for SNMP application inspection.
Fields

Map NameLists previously configured application inspection maps. Check a map and click Edit to view or change an existing map. Disallowed SNMP VersionsIdentifies the SNMP versions that have been disallowed for a specific SNMP application inspection map. AddDisplays the Add SNMP dialog box, which you can use to define a new application inspection map. EditDisplays the Edit SNMP dialog box, which you can use to modify the application inspection map selected in the application inspection map table. DeleteDeletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SNMP Map


The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.
Fields

SNMP Map NameDefines the name of the application inspection map. SNMP version 1Enables application inspection for SNMP version 1. SNMP version 2 (party based)Enables application inspection for SNMP version 2. SNMP version 2c (community based)Enables application inspection for SNMP version 2c. SNMP version 3Enables application inspection for SNMP version 3.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-100

OL-10106-04

Chapter 6

Global Objects Configuring Regular Expressions

Configuring Regular Expressions


This section describes how to configure regular expressions, and includes the following topics:

Regular Expressions, page 6-101 Add/Edit Regular Expression, page 6-102 Build Regular Expression, page 6-104 Test Regular Expression, page 6-106 Add/Edit Regular Expression Class Map, page 6-106

Regular Expressions
Some Configuring Class Maps and Configuring Inspect Maps can specify regular expressions to match text inside a packet. Be sure to create the regular expressions before you configure the class map or inspect map, either singly or grouped together in a regular expression class map. A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match body text inside an HTTP packet.
Fields

Regular ExpressionsShows the regular expressions


NameShows the regular expression names. ValueShows the regular expression definitions. AddAdds a regular expression. EditEdits a regular expression. DeleteDeletes a regular expression.

Regular Expression ClassesShows the regular expression class maps.


NameShows the regular expression class map name. Match ConditionsShows the match type and regular expressions in the class map.

Match TypeShows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched. Regular ExpressionLists the regular expressions included in each class map.
DescriptionShows the description of the class map. AddAdds a regular expression class map. EditEdits a regular expression class map. DeleteDeletes a regular expression class map.

Cisco ASDM User Guide OL-10106-04

6-101

Chapter 6 Configuring Regular Expressions

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Regular Expression


The Add/Edit Regular Expression dialog box lets you define and test a regular expression.
Fields

NameEnter the name of the regular expression, up to 40 characters in length. ValueEnter the regular expression, up to 100 characters in length. You can enter the text manually, using the metacharacters in Table 6-1, or you can click Build to use the Build Regular Expression dialog box. Table 6-1 lists the metacharacters that have special meanings.

Table 6-1

regex Metacharacters

Character Description . Dot

Notes Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit. A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz. Matches either expression it separates. For example, dog|cat matches dog or cat. A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.
Note

(exp)

Subexpression

| ?

Alternation Question mark

You must enter Ctrl+V and then the question mark or else the help function is invoked.

Asterisk

A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc. A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.

Plus

Cisco ASDM User Guide

6-102

OL-10106-04

Chapter 6

Global Objects Configuring Regular Expressions

Table 6-1

regex Metacharacters (continued)

Character Description {x} {x,} [abc] [^abc] Repeat quantifier Minimum repeat quantifier Character class Negated character class

Notes Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz. Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc. Matches any character in the brackets. For example, [abc] matches a, b, or c. Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter. Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z]. The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc].

[ a -c ]

Character range class

""

Quotation marks

Preserves trailing or leading spaces in the string. For example, " test" preserves the leading space when it looks for a match. Specifies the beginning of a line. When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. When character is not a metacharacter, matches the literal character. Matches a carriage return 0x0d. Matches a new line 0x0a. Matches a tab 0x09. Matches a form feed 0x0c. Matches an ASCII character using hexadecimal (exactly two digits). Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space.

^ \

Caret Escape character

char \r \n \t \f \xNN \NNN

Character Carriage return Newline Tab Formfeed Escaped hexadecimal number Escaped octal number

BuildHelps you build a regular expression using the Build Regular Expression dialog box. TestTests a regular expression against some sample text.

Cisco ASDM User Guide OL-10106-04

6-103

Chapter 6 Configuring Regular Expressions

Global Objects

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Build Regular Expression


The Build Regular Expression dialog box lets you construct a regular expression out of characters and metacharacters. Fields that insert metacharacters include the metacharacter in parentheses in the field name.
Fields

Build SnippetThis area lets you build text snippets of regular text or lets you insert a metacharacter into the Regular Expression field.

Starts at the beginning of the line (^)Indicates that the snippet should start at the beginning of a line, using the caret (^) metacharacter. Be sure to insert any snippet with this option at the beginning of the regular expression. Specify Character StringEnter a text string manually.
Character StringEnter a text string. Escape Special CharactersIf you entered any metacharacters in your text string that you want

to be used literally, check this box to add the backslash (\) escape character before them. for example, if you enter example.com, this option converts it to example\.com.
Ignore CaseIf you want to match upper and lower case characters, this check box

automatically adds text to match both upper and lower case. For example, entering cats is converted to [cC][aA][tT][sS].

Specify CharacterLets you specify a metacharacter to insert in the regular expression.


Negate the characterSpecifies not to match the character you identify. Any character (.)Inserts the period (.) metacharacter to match any character. For example, d.g

matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.
Character setInserts a character set. Text can match any character in the set. Sets include:

[0-9A-Za-z] [0-9] [A-Z] [a-z] [aeiou] [\n\f\r\t] (which matches a new line, form feed, carriage return, or a tab) For example, if you specify [0-9A-Za-z], then this snippet will match any character from A to Z (upper or lower case) or any digit 0 through 9.

Cisco ASDM User Guide

6-104

OL-10106-04

Chapter 6

Global Objects Configuring Regular Expressions

Special characterInserts a character that requires an escape, including \, ?, *, +, |, ., [, (, or ^.

The escape character is the backslash (\), which is auatomatically entered when you choose this option.
Whitespace characterWhitespace characters include \n (new line), \f (form feed), \r (carriage

return), or \t (tab).
Three digit octal numberMatches an ASCII character as octal (up to three digits). For

example, the character \040 represents a space. The backslash (\) is entered automatically.
Two digit hexadecimal numberMatches an ASCII character using hexadecimal (exactly two

digits). The backslash (\) is entered automatically.


Specified characterEnter any single character.

Snippet PreviewDisplay only. Shows the snippet as it will be entered in the regular expression. Append SnippetAdds the snippet to the end of the regular expression. Append Snippet as AlternateAdds the snippet to the end of the regular expression separated by a pipe (|), which matches either expression it separates. For example, dog|cat matches dog or cat. Insert Snippet at CursorInserts the snippet at the cursor.

Regular ExpressionThis area includes regular expression text that you can enter manually and build with snippets. You can then select text in the Regular Expression field and apply a quantifier to the selection.

Selection OccurrancesSelect text in the Regular Expression field, click one of the following options, and then click Apply to Selection. For example, if the regular expression is test me, and you select me and apply One or more times, then the regular expression changes to test (me)+.
Zero or one times (?)A quantifier that indicates that there are 0 or 1 of the previous

expression. For example, lo?se matches lse or lose.


One or more times (+)A quantifier that indicates that there is at least 1 of the previous

expression. For example, lo+se matches lose and loose, but not lse.
Any number of times (*)A quantifier that indicates that there are 0, 1 or any number of the

previous expression. For example, lo*se matches lse, lose, loose, etc.
At leastRepeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc. ExactlyRepeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz. Apply to SelectionApplies the quantifier to the selection.

TestTests a regular expression against some sample text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-105

Chapter 6 Configuring Regular Expressions

Global Objects

Test Regular Expression


The Test Regular Expression dialog box lets you test input text against a regular expression to make sure it matches as you intended.
Fields

Regular ExpressionEnter ther regular expression you want to test. By default, the regular expression you entered in the Add/Edit Regular Expression or Build Regular Expression dialog box is input into this field. If you change the regular expression during your testing, and click OK, the changes are inherited by the Add/Edit Regular Expression or Build Regular Expression dialog boxes. Click Cancel to dismiss your changes. Test StringEnter a text string that you expect to match the regular expression. TestTests the Text String against the Regular Expression, Test ResultDisplay only. Shows if the test succeeded or failed.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Regular Expression Class Map


The Add/Edit Regular Expression Class Map dialog box groups regular expressions together. A regular expression class map can be used by inspection class maps and inspection policy maps.
Fields

NameEnter a name for the class map, up to 40 characters in length. The name class-default is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. DescriptionEnter a description, up to 200 characters in length. Available Regular ExpressionsLists the regular expressions that are not yet assigned to the class map.
EditEdits the selected regular expression. NewCreates a new regular expression.

AddAdds the selected regular expression to the class map. RemoveRemoves the selected regular expression from the class map. Configured Match ConditionsShows the regular expressions in this class map, along with the match type.
Match TypeShows the match type, which for regular expressions is always a positive match

type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one

Cisco ASDM User Guide

6-106

OL-10106-04

Chapter 6

Global Objects TCP Maps

regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched.
Regular ExpressionLists the regular expression names in this class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TCP Maps
Use the TCP Maps option to create a reusable component that defines the TCP normalization settings for different traffic flows. After creating a TCP map, you can associate these TCP normalization settings with traffic of a specific type using a security policy. You use the Service Policy Rules option on the Security Policy pane to define the traffic criteria and to associate the service policy rule with a specific interface or to apply it to all the interfaces on the security appliance.
Fields

Map NameLists a TCP map name used to apply a TCP map. Urgent FlagLists whether the URG pointer is cleared or allowed through the security appliance. Window VariationLists whether a connection that has changed its window size unexpectedly is allowed or dropped. Exceed MSSLists whether packets that exceed MSS set by peer are allowed or dropped. Check RetransmissionLists whether the retransmit data check is enabled or disabled. Past-window Sequence DataLists whether a connection with past-window sequence numbers is dropped (namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window). This action is only allowed if the Queue Limit is set to 0 (disabled). SYN DataLists whether SYN packets with data are allowed or dropped. SYNACK DataLists whether SYNDATA packets with data are allowed or dropped. Invalid AckLists whether packets with an invalid ACK are allowed or dropped. TTL Evasion ProtectionLists whether the TTL evasion protection offered by the security appliance is enabled or disabled. Verify ChecksumLists whether checksum verification is enabled or disabled. Reserved BitsLists the status of the reserved flags policy. TCP OptionsLists the behavior of packets with TCP option value configured. The default action is to clear the options and allow the packets.
Selective AckLists whether the selective-ack TCP option is allowed or cleared. Time StampLists whether the TCP timestamp option is allowed or cleared.

Cisco ASDM User Guide OL-10106-04

6-107

Chapter 6 TCP Maps

Global Objects

Window ScaleLists whether the window scale timestamp option is allowed or cleared. RangeLists the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower

bound should be less than or equal to the upper bound.


Queue SizeLists the maximum number of out-of-order packets that can be queued for a TCP connection. Default is 0. Queue TimeoutLists the out-of-order packet buffer timeout. The default is 4 seconds.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit TCP Map


The Add/Edit TCP Maps dialog box lets you define the class of traffic and customize the TCP inspection with TCP maps. Apply the TCP map using policy map and activate TCP inspection using service policy.
Fields

TCP Map NameSpecifies a TCP map name. Queue LimitSets the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, which means this setting is disabled and the default system queue limit is used depending on the type of traffic:
Connections for application inspection, IPS, and TCP check-retransmission have a queue limit

of 3 packets. If the security appliance receives a TCP packet with a different window size, then the queue limit is dynamically changed to match the advertized setting.
For other TCP connections, out-of-order packets are passed through untouched.

If you set the Queue Limit to be 1 or above, then the number of out-of-order packets allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission traffic, any advertized settings are ignored. For other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through untouched.

TimeoutSets the maximum amount of time that out-of-order packets can remain in the buffer, between 1 and 20 seconds; if they are not put in order and passed on within the timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set the limit to be 1 or above for the timeout to take effect. Clear Urgent FlagClears the URG pointer through the security appliance. Drop Connection on Window VariationDrops a connection that has changed its window size unexpectedly. Drop Packets that Exceed Maximum Segment SizeDrops packets that exceed MSS set by peer. Check if transmitted data is the same as originalDisables the retransmit data checks.

Cisco ASDM User Guide

6-108

OL-10106-04

Chapter 6

Global Objects TCP Maps

Drop Packets which have past-window sequenceDrops packets that have past-window sequence numbers, namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window. This action is only allowed if the Queue Limit is set to 0 (disabled). Drop SYN packets with dataDrops SYN packets with data. Drop SYNACK packets with dataDrops SYNACK packets with data. Drop packets with invalid ACKDrops packets with an invalid ACK. You might see invalid ACKs in the following instances:
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet

is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid ACK.
Whenever the ACK number of a received TCP packet is greater than the sequence number of

the next TCP packet sending out, it is an invalid ACK.

Note

TCP packets with an invalid ACK are automatically allowed for WAAS connections.

Enable TTL Evasion ProtectionEnables or disables the TTL evasion protection offered by the security appliance. Verify TCP ChecksumEnables and disables checksum verification. Reserved BitsSets the reserved flags policy in the security appliance.
Clear and allow Allow only Drop

TCP OptionsConfigures the behavior of packets with a TCP option value configured.
Clear Selective AckClears the selective-ack TCP options. Clear TCP TimestampClears the TCP timestamp option. Clear Window ScaleClears the window scale timestamp option. RangeSets the action for a range of TCP option numbers.

RangeValid TCP options ranges should fall within 6-7 and 9-255. The lower bound should be less than or equal to the upper bound. ActionAllow or Drop.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

6-109

Chapter 6 Configuring Time Ranges

Global Objects

Configuring Time Ranges


Use the Time Ranges option to create a reusable component that defines starting and ending times that can be applied to various security features. Once you have defined a time range, you can select the time range and apply it to different options that require scheduling. The time range feature lets you define a time range that you can attach to traffic rules, or an action. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional periodic entries.

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

NameSpecifies the name of the time range. Start TimeSpecifies when the time range begins. End TimeSpecifies when the time range ends. Periodic EntriesSpecifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Time Range


The Add/Edit Time Range pane lets you define specific times and dates that you can attach to an action. For example, you can attach an access list to a time range to restrict access to the security appliance. The time range relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

Time Range NameSpecifies the name of the time range. The name cannot contain a space or quotation mark, and must begin with a letter or number. Start now/StartedSpecifies either that the time range begin immediately or that the time range has begun already. The button label changes based on the Add/Edit state of the time range configuration. If you are adding a new time range, the button displays Start Now. If you are editing a time range for which a fixed start time has already been defined, the button displays Start Now. When editing a time range for which there is no fixed start time, the button displays Started.

Cisco ASDM User Guide

6-110

OL-10106-04

Chapter 6

Global Objects Configuring Time Ranges

Start atSpecifies when the time range begins.


MonthSpecifies the month, in the range of January through December. DaySpecifies the day, in the range of 01 through 31. YearSpecifies the year, in the range of 1993 through 2035. HourSpecifies the hour, in the range of 00 through 23. MinuteSpecifies the minute, in the range of 00 through 59.

Never endSpecifies that there is no end to the time range. End at (inclusive)Specifies when the time range ends. The end time specified is inclusive. For example, if you specified that the time range expire at 11:30, the time range is active through 11:30 and 59 seconds. In this case, the time range expires when 11:31 begins.
MonthSpecifies the month, in the range of January through December. DaySpecifies the day, in the range of 01 through 31. YearSpecifies the year, in the range of 1993 through 2035. HourSpecifies the hour, in the range of 00 through 23. MinuteSpecifies the minute, in the range of 00 through 59.

Periodic Time RangesConfigures daily or weekly time ranges.


AddAdds a periodic time range. EditEdits the selected periodic time range. DeleteDeletes the selected periodic time range.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Periodic Time Range


The Add/Edit Periodic Time Range pane lets you fine time ranges further by letting you configure them on a daily or weekly basis.

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

Days of the week


Every daySpecifies every day of the week. WeekdaysSpecifies Monday through Friday. WeekendsSpecifies Saturday and Sunday.

Cisco ASDM User Guide OL-10106-04

6-111

Chapter 6 Configuring Time Ranges

Global Objects

On these days of the weekLets you choose specific days of the week. Daily Start TimeSpecifies the hour and the minute that the time range begins. Daily End Time (inclusive) areaSpecifies the hour and the minute that the time range ends.

The end time specified is inclusive.

Weekly Interval
FromLists the day of the week, Monday through Sunday. ThroughLists the day of the week, Monday through Sunday. HourLists the hour, in the range of 00 through 23. MinuteLists the minute, in the range of 00 through 59.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

6-112

OL-10106-04

CH A P T E R

Configuring Security Contexts


This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections:

Security Context Overview, page 7-1 Enabling or Disabling Multiple Context Mode at the CLI, page 7-9 Configuring Resource Classes, page 7-10 Configuring Security Contexts, page 7-16

Security Context Overview


You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. This section provides an overview of security contexts, and includes the following topics:

Common Uses for Security Contexts, page 7-2 Unsupported Features, page 7-2 Context Configuration Files, page 7-2 How the Security Appliance Classifies Packets, page 7-2 Management Access to Security Contexts, page 7-8

Cisco ASDM User Guide OL-10106-04

7-1

Chapter 7 Security Context Overview

Configuring Security Contexts

Common Uses for Security Contexts


You might want to use multiple security contexts in the following situations:

You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. You are a large enterprise or a college campus and want to keep departments completely separate. You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance.

Unsupported Features
Multiple context mode does not support the following features:

Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode.

VPN Multicast

Context Configuration Files


Each context has its own configuration file that identifies the security policy, interfaces, and, for supported features, all the options you can configure on a standalone device. You can store context configurations on the internal Flash memory or the external Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server. In addition to individual security contexts, the security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Like the single mode configuration, this configuration resides as the startup configuration. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from a server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named admin. If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the Security Appliance Classifies Packets


Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. This section includes the following topics:

Valid Classifier Criteria, page 7-3 Invalid Classifier Criteria, page 7-4

Cisco ASDM User Guide

7-2

OL-10106-04

Chapter 7

Configuring Security Contexts Security Context Overview

Classification Examples, page 7-4

Note

If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.

Valid Classifier Criteria


This section describes the criteria used by the classifier, and includes the following topics:

Unique Interfaces, page 7-3 Unique MAC Addresses, page 7-3 NAT Configuration, page 7-3

Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses


If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see Add/Edit Interface > Advanced), or you can automatically generate MAC addresses (see Security Contexts).

NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context:

Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0

Cisco ASDM User Guide OL-10106-04

7-3

Chapter 7 Security Context Overview

Configuring Security Contexts

Note

For management traffic destined for an interface, the interface IP address is used for classification.

Invalid Classifier Criteria


The following configurations are not used for packet classification:

NAT exemptionThe classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. Routing tableIf a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route.

Classification Examples
Figure 7-1 shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.
Figure 7-1 Packet Classification with a Shared Interface using MAC Addresses

Internet

Packet Destination: 209.165.201.1 via MAC 000C.F142.4CDC GE 0/0.1 (Shared Interface) Classifier

MAC 000C.F142.4CDA Admin Context Context A

MAC 000C.F142.4CDB Context B

MAC 000C.F142.4CDC

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 209.165.202.129

Host 209.165.200.225

Host 209.165.201.1

Cisco ASDM User Guide

7-4

OL-10106-04

153367

Chapter 7

Configuring Security Contexts Security Context Overview

Figure 7-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address.
Figure 7-2 Packet Classification with a Shared Interface using NAT

Internet

Packet Destination: 209.165.201.3 GE 0/0.1 (Shared Interface) Classifier Admin Context Context A Context B Dest Addr Translation 209.165.201.3 10.1.1.13

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 10.1.1.13

Host 10.1.1.13

Host 10.1.1.13

Note that all new incoming traffic must be classified, even from inside networks. Figure 7-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.

Note

If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major restrictions. The classifier relies on the address translation configuration to classify the packet within a context, and you must translate the destination addresses of the traffic. Because you do not usually perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not always possible; the outside network is large, (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses.

92399

Cisco ASDM User Guide OL-10106-04

7-5

Chapter 7 Security Context Overview

Configuring Security Contexts

Figure 7-3

Incoming Traffic from Inside Networks

Internet

GE 0/0.1 Admin Context Context A Context B

Classifier

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 10.1.1.13

Host 10.1.1.13

Host 10.1.1.13

Cisco ASDM User Guide

7-6

92395

OL-10106-04

Chapter 7

Configuring Security Contexts Security Context Overview

For transparent firewalls, you must use unique interfaces. Figure 7-4 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 7-4 Transparent Firewall Contexts

Internet

Classifier GE 0/0.2 GE 0/0.1 Admin Context Context A GE 0/0.3 Context B

GE 1/0.1 Admin Network

GE 1/0.2 Inside Customer A

GE 1/0.3 Inside Customer B

Host 10.1.1.13

Host 10.1.2.13

Host 10.1.3.13

Cascading Security Contexts


Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context.

Note

Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses.

92401

Cisco ASDM User Guide OL-10106-04

7-7

Chapter 7 Security Context Overview

Configuring Security Contexts

Figure 7-5 shows a gateway context with two contexts behind the gateway.
Figure 7-5 Cascading Contexts

Internet GE 0/0.2 Outside Gateway Context Inside GE 0/0.1 (Shared Interface) Outside Admin Context Outside Context A

GE 1/1.8 Inside

GE 1/1.43 Inside
153366

Management Access to Security Contexts


The security appliance provides system administrator access in multiple context mode as well as access for individual context administrators. The following sections describe logging in as a system administrator or as a a context administrator:

System Administrator Access, page 7-8 Context Administrator Access, page 7-9

System Administrator Access


You can access the security appliance as a system administrator in two ways:

Access the security appliance console. From the console, you access the system execution space. Access the admin context using Telnet, SSH, or ASDM. See Chapter 11, Configuring Device Access, to enable Telnet, SSH, and SDM access.

As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default enable_15 username. If you configured command authorization in that context, you need to either configure authorization privileges for the enable_15 user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the

Cisco ASDM User Guide

7-8

OL-10106-04

Chapter 7

Configuring Security Contexts Enabling or Disabling Multiple Context Mode at the CLI

username admin. The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user admin with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as admin by entering the login command. When you change to context B, you must again enter the login command to log in as admin. The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Context Administrator Access


You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See Chapter 11, Configuring Device Access, to enable Telnet, SSH, and SDM access and to configure management authentication.

Enabling or Disabling Multiple Context Mode at the CLI


Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI. This section includes the following topics:

Backing Up the Single Mode Configuration, page 7-9 Enabling Multiple Context Mode, page 7-9 Restoring Single Context Mode, page 7-10

Backing Up the Single Mode Configuration


When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

Enabling Multiple Context Mode


The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name admin. To enable multiple mode, enter the following command:
hostname(config)# mode multiple

Cisco ASDM User Guide OL-10106-04

7-9

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

You are prompted to reboot the security appliance.

Restoring Single Context Mode


If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy. To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space:
Step 1

To copy the backup version of your original running configuration to the current startup configuration, enter the following command in the system execution space:
hostname(config)# copy flash:old_running.cfg startup-config

Step 2

To set the mode to single mode, enter the following command in the system execution space:
hostname(config)# mode single

The security appliance reboots.

Configuring Resource Classes


By default, all security contexts have unlimited access to the resources of the security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. This section includes the following topics:

Classes and Class Members Overview, page 7-10 Adding a Resource Class, page 7-13

Classes and Class Members Overview


The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics:

Resource Limits, page 7-11 Default Class, page 7-12 Class Members, page 7-13

Cisco ASDM User Guide

7-10

OL-10106-04

Chapter 7

Configuring Security Contexts Configuring Resource Classes

Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can use up those resources, potentially affecting service to other contexts. You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value. You can oversubscribe the security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 7-6.)
Figure 7-6 Resource Oversubscription

Total Number of System Connections = 999,900 Max. 20% (199,800) 16% (159,984) 12% (119,988) 8% (79,992) 4% (39,996) 1 2 3 4 5 6 Contexts in Class 7 8 9 10 Maximum connections allowed. Connections in use. Connections denied because system limit was reached.
104895

If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the security appliance, then the performance of the security appliance might be impaired. The security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of unassigned connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 7-7.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system.

Cisco ASDM User Guide OL-10106-04

7-11

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

Figure 7-7

Unlimited Resources

50% 43% 5% 4% 3% 2% 1% A B C Contexts Silver Class 1 2 3 Contexts Gold Class


153211

Maximum connections allowed. Connections in use. Connections denied because system limit was reached.

Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class. By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions5 sessions. SSH sessions5 sessions. IPSec sessions5 sessions. MAC addresses65,535 entries.

Cisco ASDM User Guide

7-12

OL-10106-04

Chapter 7

Configuring Security Contexts Configuring Resource Classes

Figure 7-8 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.
Figure 7-8 Resource Classes

Class Bronze (Some Limits Set)

Default Class

Context D

Class Silver (Some Limits Set) Class Gold (All Limits Set)

Context A

Context C

Context B

Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Adding a Resource Class


This section describes the panes available for configuring resource classes, and includes the following topics:

Resource Class, page 7-13 Add/Edit Resource Class, page 7-14

Resource Class
The Resource Class pane shows the configured classes and information about each class. It also lets you add, edit, or delete a class.
Fields

ClassShows the class name.

104689

Cisco ASDM User Guide OL-10106-04

7-13

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

All ResourcesShows the limit for all resources that you do not set individually, which can only be 0, which means unlimited. ConnectionsShows the limit for TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. HostsShows the limit for hosts that can connect through the security appliance. XlatesShows the limit for address translations. TelnetShows the limit for Telnet sessions, by default 5. SSHShows the limit for SSH sessions, by default 5. ASDM SessionsShows the limit for ASDM management sessions, by default 5. ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between all contexts. MACShows the limit for MAC addresses in the MAC address table in transparent firewall mode, by default 65535. Conns/secShows the limit for connections per second. Fixups/secShows the limit for application inspections per second. Syslogs/secShows the limit for system log messages per second. ContextsShows the contexts assigned to this class. AddAdds a class. EditEdits a class. DeleteDeletes a class. You cannot delete the default class. If you delete a class to which you assigned contexts, the contexts revert to using the default class.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Resource Class


The Add/Edit Resource Class dialog box lets you add or edit a resource class.
Fields

Resource ClassSets the class name as a string up to 20 characters in length. Count Limited ResourcesSets the concurrent limits for resources. For resources that do not have a system limit, you cannot set the percentage; you can only set an absolute value. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then the resource is unlimited, or the system limit if available.
HostsSets the limit for concurrent hosts that can connect through the security appliance.

Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

Cisco ASDM User Guide

7-14

OL-10106-04

Chapter 7

Configuring Security Contexts Configuring Resource Classes

TelnetSets the limit for concurrent Telnet sessions. Select the check box to enable this limit.

You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.
ASDM SessionsSets the limit for concurrent ASDM sessions. Select the check box to enable

this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 80 sessions divided between all contexts. ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between all contexts.
ConnectionsSets the limit for concurrent TCP or UDP connections between any two hosts,

including connections between one host and multiple other hosts. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Release Notes for Cisco ASDM for the connection limit for your model.
XlatesSets the limit for address translations. Select the check box to enable this limit. If you

set the limit to 0, it is unlimited.


SSHSets the limit for SSH sessions. Select the check box to enable this limit. You can set the

limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.
MAC Entries(Transparent mode only) Sets the limit for MAC address entries in the MAC

address table. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 65535 and selecting Absolute from the list.

Rate Limited ResourcesSets the rate limit for resources. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then it is unlimited by default.
Conns/secSets the limit for connections per second. Select the check box to enable this limit.

If you set the limit to 0, it is unlimited.


Syslogs/secSets the limit for system log messages per second. Select the check box to enable

this limit. If you set the limit to 0, it is unlimited.


Inspects/secSets the limit for application inspections per second. Select the check box to

enable this limit. If you set the limit to 0, it is unlimited.

Show Actual Class Limits(Non-default classes only) When you edit a class, this button shows the limits you set plus any inherited limits from the default class for limits you did not set.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

7-15

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Configuring Security Contexts


This section describes how to add security contexts, and includes the following topics:

Security Contexts, page 7-16 Add/Edit Context, page 7-17 Add/Edit Interface Allocation, page 7-18

Security Contexts
The Security Contexts pane shows the configured contexts and information about each context. It also lets you add, edit, or delete a context. For more information about multiple context mode, see the Security Context Overview section on page 7-1.
Prerequisites

Before you can configure contexts using ASDM, make sure the security appliance is in multiple context mode. If the ASDM toolbar includes Context and System tools, then the security appliance is in multiple mode. Also, the Home > Device Information > General tab shows the current context mode, either multiple or single. To change from single mode to multiple, access the security appliance CLI and enter the mode multiple command. See the Enabling or Disabling Multiple Context Mode at the CLI section on page 7-9 for more information.
Fields

ContextShows the context name. InterfacesShows the interfaces and subinterfaces assigned to the context. If you assigned an alias for the interface name to show in a context, then the aliased name is shown in parentheses. If you specified a range of subinterfaces, the range displays with a dash between the first and last subinterface numbers. ResourceShows the resource class for each context. Config URLShows the context configuration location. GroupShows the failover group to which this context belongs. DescriptionShows a description of the context. AddAdds a context. EditEdits a context. DeleteDeletes a context. Mac-Address autoAutomatically assigns private MAC addresses to each shared context interface.

Cisco ASDM User Guide

7-16

OL-10106-04

Chapter 7

Configuring Security Contexts Configuring Security Contexts

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the How the Security Appliance Classifies Packets section on page 7-2 for information about classifying packets. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. When you assign an interface to a context, the new MAC address is generated immediately. If you enable this option after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you apply the option. If you disable this option, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1. The MAC address is generated using the following format: Active unit MAC address: 12_slot.port_subid.contextid. Standby unit MAC address: 02_slot.port_subid.contextid. For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31: Active: 1200.0131.0001 Standby: 0200.0131.0001 In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the Configuring the Interfaces section on page 4-2 to manually set the MAC address.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Context
The Add Context dialog box lets you add or edit a security context and define context parameters.

Cisco ASDM User Guide OL-10106-04

7-17

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

Fields

Security ContextSets the context name as a string up to 32 characters long. This name is case sensitive, so you can have two contexts named customerA and CustomerA, for example. System or Null (in upper or lower case letters) are reserved names, and cannot be used. Interface AllocationShows the interfaces and subinterfaces assigned to this context.
InterfaceShows the interface IDs. If you specified a range of subinterfaces, the range displays

with a dash between the first and last subinterface numbers.


Aliased NameShows the aliased name for this interface to be used in the context

configuration instead of the interface ID.


VisibleShows whether context users can see physical interface properties even if you set an

aliased name.
AddAdds an interface to the context. EditEdits the interface properties. DeleteDeletes an interface.

Resource AssignmentAssigns the context to a resource class.


Resource ClassSelect a class from the list. EditEdits the selected resource class. NewAdds a resource class.

Config URLSpecifies the context configuration location, as a URL. Choose the file system type in the list, and then enter the server (for remote file systems), path, and filename in the field. For example, the combined URL for FTP has the following format: ftp://server.example.com/configs/admin.cfg LoginSets the username and password for remote file systems. Failover GroupSets the failover group for active/active failover. DescriptionSets an optional description for the context.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface Allocation


The Add/Edit Interface Allocation dialog box lets you assign interfaces to a context and set interface parameters.
Fields

InterfacesSpecifies the physical interface and subinterface IDs.

Cisco ASDM User Guide

7-18

OL-10106-04

Chapter 7

Configuring Security Contexts Configuring Security Contexts

Physical InterfaceSets the physical interface to assign to the context. You can assign the main

interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown. If the main interface was already assigned to another context, then you must choose a subinterface.
Sub Interface Range (Optional)Sets the subinterface ID or a range of subinterface IDs. To

specify a single subinterface, choose the ID in the first list. To specify a range, choose the ending ID in the second list, if available. In transparent firewall mode, only subinterfaces that have not been allocated to other contexts are shown.

Aliased NamesSets an aliased name for this interface to be used in the context configuration instead of the interface ID.
Use Aliased Name in ContextEnables aliased names in the context. NameSets the aliased name. An aliased name must start with a letter, end with a letter or digit,

and have as interior characters only letters, digits, or an underscore. This field lets you specify a name that ends with a letter or underscore; to add an optional digit after the name, set the digit in the Range field.
RangeSets the numeric suffix for the aliased name. If you have a range of subinterfaces, you

can enter a range of digits to be appended to the name.

Show Hardware Properties in ContextEnables context users to see physical interface properties even if you set an aliased name.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

7-19

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

Cisco ASDM User Guide

7-20

OL-10106-04

CH A P T E R

Configuring Device Properties


This section contins the following topics:

Management IP Device Administration Auto Update

Management IP
The Management IP window lets you set the management IP address for the security appliance or for a context in transparent firewall mode. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. The exception is that you can set the IP address for the Management 0/0 management-only interface, which does not pass through traffic. See the Configuring the Interfaces to set the IP address for Management 0/0. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
Fields

Management IP AddressSets the management IP address. Subnet MaskSets the subnet mask.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

Cisco ASDM User Guide OL-10106-04

8-1

Chapter 8 Device Administration

Configuring Device Properties

Device Administration
Under Device Administration, you can set basic parameters for the security appliance. This section contains the following topics:

Banner Boot Image/Configuration Console Clock Device FTP Mode ICMP Rules Management Access NTP Password Secure Copy SNMP TFTP Server User Accounts

Banner
The Banner panel lets you configure message of the day, login, and session banners. To create a banner, enter text into the appropriate box. Spaces in the text are preserved, however, tabs can be entered in the ASDM interface but cannot be entered through the command line interface. The tokens $(domain) and $(hostname) are replaced with the host name and domain name of the security appliance. Use the $(hostname) and $(domain) tokens to echo the hostname and domain name specified in a particular context. Use the $(system) token to echo a banner configured in the system space in a particular context. Multiple lines in a banner are handled by entering a line of text for each line you wish to add. Each line is then appended to the end of the existing banner. If the text is empty, then a carriage return (CR) will be added to the banner. There is no limit on the length of a banner other than RAM and Flash memory limits. You can only use ASCII characters, including new line (the Enter key, which counts as two characters). When accessing the security appliance through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages or if a TCP write error occurs when attempting to display the banner messages. To replace a banner, change the contents of the appropriate box and click Apply. To clear a banner, clear the contents of the appropriate box and click Apply. Although the banner command is not available in the System Context through the ASDM panel, it can be configured with Tools > Command Line Interface.

Cisco ASDM User Guide

8-2

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Boot Image/Configuration
Boot Image/Configuration lets you choose which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can specify up to four local binary image files for use as the startup image, and one image located on a TFTP server for the device to boot from. If you specify an image located on a TFTP server, it must be first in the list. In the event the device cannot reach the tftp server to load the image from, it will attempt to load the next image file in the list located in Flash. If you do not specify any boot variable, the first valid image on internal flash will be chosen to boot the system.
Fields

Boot Configuration

Boot OrderDisplays the order in which binary image files will be used to boot. Boot Image LocationDisplays the physical location and path of the boot file. Boot Config File PathDisplays the location of the configuration file. AddLets you add a flash or tftp boot image entry to be used in the boot process. EditLets you edit a flash or tftp boot image entry. DeleteDeletes the selected flash or tftp boot image entry. Move UpMoves the selected flash or tftp boot image entry up in the boot order. Move DownMoves the selected flash or tftp boot image entry down in the boot order. Browse FlashLets you specify the location of a boot image or configuration file. ASDM Image File PathDisplays the location of the configuration file the device will use at startup. Browse FlashLets you specify the location of a boot image or configuration file.

ASDM Image Configuration


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

8-3

Chapter 8 Device Administration

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add Boot Image


To add a boot image entry to the boot order list, click Add on the Boot Image/Configuration panel. You can select a Flash or TFTP image to add a boot image to the boot order list. Either type the path of the image, or click Browse Flash to specify the image location. You must type the path of the image location if you are using TFTP.
Fields

Flash ImageSelect to add a boot image located in the flash file system.
PathSpecify the path of the boot image in the flash file system.

TFTP ImageSelect to add a boot image located on a TFTP server.


[Path]Enter the path on the TFTP server of the boot image file, including the IP address of

the server.

OKAccepts changes and returns to the previous panel. CancelDiscards changes and returns to the previous panel. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Clock
The Clock panel lets you manually set the date and time for the security appliance. The time displays in the status bar at the bottom of the main ASDM window. In multiple context mode, set the time in the system configuration only. To dynamically set the time using an NTP server, see the NTP panel; time derived from an NTP server overrides any time set manually in the Clock panel.

Cisco ASDM User Guide

8-4

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

Fields

Time ZoneSets the time zone as GMT plus or minus the appropriate number of hours. If you select the Eastern Time, Central Time, Mountain Time, or Pacific Time zone, then the time adjusts automatically for daylight saving time, from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.

Note

Changing the time zone on the security appliance may drop the connection to intelligent SSMs.

DateSets the date. Select the date and year from the lists, and then click the day on the calendar. TimeSets the time on a 24-hour clock.
hh, mm, and ss boxesSets the hour, minutes, and seconds.

Update Display TimeUpdates the time shown at the bottom right corner of the ASDM window. The current time updates automatically every ten seconds.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Console
The Console panel lets you specify a time period in minutes for the management console to remain active. When it reaches the time limit you specify here, the console automatically shuts down. Type the time period in the Console Timeout text box. To specify unlimited, enter 0. The default value is 0.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Device
The Device panel lets you set the hostname and domain name for the security appliance.

Cisco ASDM User Guide OL-10106-04

8-5

Chapter 8 Device Administration

Configuring Device Properties

The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The hostname is also used in system messages. For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line, can be used for a banner. The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to example.com, and specify a syslog server by the unqualified name of jupiter, then the security appliance qualifies the name to jupiter.example.com.
Fields

Platform Host NameSets the hostname. The default hostname depends on your platform. Domain NameSets the domain name. The default domain name is default.domain.invalid.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Mode
The FTP Mode panel configures FTP mode as active or passive. The security appliance can use FTP to upload or download image files or configuration files to or from an FTP server. In passive FTP, the client initiates both the control connection and the data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
Fields

Specify FTP mode as passiveConfigures FTP mode as active or passive.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide

8-6

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

ICMP Rules
The ICMP Rules panel provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the security appliance. You can use this table to add or change the hosts or networks that are allowed or prevented from sending ICMP messages to the security appliance. The ICMP rule list controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.

Note

Use the Security Policy panel to configure access rules for ICMP traffic that is routed through the security appliance for destinations on a protected interface. It is recommended that permission is always granted for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery. If an ICMP control list is configured, then the security appliance uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates a syslog message. An exception is when an ICMP control list is not configured; in that case, a permit statement is assumed.
Fields

InterfaceLists the interface on the security appliance from which ICMP access is allowed. ActionDisplays whether ICMP messages are permitted or not allowed from the specified network or host. IP AddressLists the IP address of the network or host that is allowed or denied access. MaskLists the network mask associated with the network or host that is allowed access. ICMP TypeLists the type of ICMP message to which the rule applies. Table 8-1 lists the supported ICMP type values. AddDisplays the Add ICMP Rule dialog box for adding a new ICMP rule to the end of the table. InsertAdds an ICMP rule before or after the currently selected rule. EditDisplays the Edit ICMP Rule dialog box for editing the selected host or network. DeleteDeletes the selected host or network. ICMP Unreachable Message LimitsAdds rate limits and burst size message limits to ICMP messages.
ICMP Type Literals

Table 8-1

ICMP Type 0 3 4 5

Literal echo-reply unreachable source-quench redirect

Cisco ASDM User Guide OL-10106-04

8-7

Chapter 8 Device Administration

Configuring Device Properties

Table 8-1

ICMP Type Literals (continued)

ICMP Type 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Modes

Literal alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit ICMP Rule


The Add/Edit ICM Rule dialog box lets you add or modify an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the security appliance.
Fields

ICMP TypeSpecifies the type of ICMP message to which the rule applies. Table 8-2 lists the supported ICMP type values. InterfaceIdentifies the interface on the security appliance from which ICMP access is allowed. IP AddressSpecifies the IP address of the network or host that is allowed or denied access. Any AddressApplies the action to all addresses received on the specified interface. MaskSpecifies the network mask associated with the network or host that is allowed access. ActionSpecifies whether ICMP messages are permitted or not from the specified network or host.
PermitCauses ICMP messages from the specified host or network and interface to be

allowed.

Cisco ASDM User Guide

8-8

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

DenyCauses ICMP messages from the specified host or network and interface to be dropped.

ICMP Unreachable Message LimitsAdds rate limits and burst size message limits to ICMP messages.
ICMP Type Literals

Table 8-2

ICMP Type 0 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Modes

Literal echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Management Access
The Management Access panel lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the security appliance. With management access enabled, you can run ASDM on an internal interface with a fixed IP address over an IPSec VPN tunnel. Use this feature if VPN is configured on the security appliance and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the security appliance securely from home using the VPN client.

Cisco ASDM User Guide OL-10106-04

8-9

Chapter 8 Device Administration

Configuring Device Properties

Fields

Management Access InterfaceLets you specify the interface to use for managing the security appliance. None disables management access and is the default. To enable management access, select the interface with the highest security, which will be an inside interface. You can enable management access on only one interface at a time.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

NTP
The NTP panel lets you define NTP servers to dynamically set the time on the security appliance. The time displays in the status bar at the bottom of the main ASDM window. Time derived from an NTP server overrides any time set manually in the Clock panel. NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. You can configure multiple NTP servers. The security appliance chooses the server with the lowest stratuma measure of how reliable the data is.
Fields

NTP Server ListShows defined NTP servers.


IP AddressShows the NTP server IP address. InterfaceSpecifies the outgoing interface for NTP packets, if configured. The system does

not include any interfaces, so it uses the admin context interfaces. If the interface is blank, then the security appliance uses the default admin context interface according to the routing table.
Preferred?Shows whether this NTP server is a preferred server, Yes or No. NTP uses an

algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a more accurate server over a less accurate server that is preferred.
Key NumberShows the authentication key ID number. Trusted Key?Shows if the key is a trusted key, Yes or No. The key must be trusted for

authentication to work.

Enable NTP AuthenticationEnables authentication for all servers. AddAdds an NTP server. EditEdits an NTP server. DeleteDeletes and NTP server.

Cisco ASDM User Guide

8-10

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit NTP Server Configuration


The Add/Edit NTP Server Configuration dialog box lets you add or edit an NTP server.
Fields

IP AddressSets the NTP server IP address. PreferredSets this server as a preferred server. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a more accurate server over a less accurate server that is preferred. InterfaceSets the outgoing interface for NTP packets, if you want to override the default interface according to the routing table. The system does not include any interfaces, so it uses the admin context interfaces. If you intend to change the admin context (thus changing the available interfaces), you should choose None (the default interface) for stability. Authentication KeySets the authentication key attributes if you want to use MD5 authentication for communicating with the NTP server.
Key NumberSets the key ID for this authentication key. The NTP server packets must also

use this key ID. If you previously configured a key ID for another server, you can select it in the list; otherwise, type a number between 1 and 4294967295.
TrustedSets this key as a trusted key. You must select this box for authentication to work. Key ValueSets the authentication key as a string up to 32 characters in length. Reenter Key ValueValidates the key by ensuring that you enter the key correctly two times.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Password
The Password panel lets you set the login password and the enable password.

Cisco ASDM User Guide OL-10106-04

8-11

Chapter 8 Device Administration

Configuring Device Properties

The login password lets you access EXEC mode if you connect to the security appliance using a Telnet or SSH session. (If you configure user authentication for Telnet or SSH access, then each user has their own password, and this login password is not used; see the AAA Access panel.) The enable password lets you access privileged EXEC mode after you log in. Also, this password is used to access ASDM as the default user, which is blank. The default user shows as enable_15 in the User Accounts panel. (If you configure user authentication for enable access, then each user has their own password, and this enable password is not used; see the AAA Access panel. In addition, you can configure authentication for HTTP/ASDM access.)
Fields

Enable PasswordSets the enable password. By default, it is blank.


Change the privileged mode passwordLets you change the enable password. Old PasswordEnter the old password. New PasswordEnter the new password. Confirm New PasswordConfirm the new password.

Telnet PasswordSets the login password. By default, it is cisco. Although this group box is called Telnet Password, this password applies to Telnet and SSH access.
Change the password to access the platform consoleLets you change the login password. Old PasswordEnter the old password. New PasswordEnter the new password. Confirm New PasswordConfirm the new password.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Secure Copy
The Secure Copy panel lets you enable the secure copy server on the security appliance. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection.
Limitations

This implementation of the secure copy server has the following limitations:

The server can accept and terminate connections for secure copy, but cannot initiate them. The server does not have directory support. The lack of directory support limits remote client access to the security appliance internal files. The server does not support banners. The server does not support wildcards.

Cisco ASDM User Guide

8-12

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

The security appliance license must have the VPN-3DES-AES feature to support SSH version 2 connections.

Fields

Enable Secure Copy ServerSelect this check box to enable the secure copy server on the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

SMTP
The SMTP panel lets you enable or disable the SMTP client for notification by email that a significant event has transpired. Here you can add an IP address of an SMTP server and optionally, the IP address of a backup server. ASDM does not check to make sure the IP address is valid, so it is important to type the address correctly. You can configure what email addresses will receive alerts in Configuration > Properties > Logging > Email Setup.
Fields

Remote SMTP ServerLets you configure the primary and secondary SMTP servers. Primary Server IP AddressEnter the IP address of the SMTP server. Secondary Server IP Address (Optional)Optionally, you can enter the IP address of a secondary SMTP server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SNMP
The SNMP panel lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.

Cisco ASDM User Guide OL-10106-04

8-13

Chapter 8 Device Administration

Configuring Device Properties

SNMP defines a standard way for network management stations running on PCs or workstations to monitor the health and status of many types of devices, including switches, routers, and the security appliance.
SNMP Terminology

Management stationNetwork management stations running on PCs or workstations, use the SNMP protocol to administer standardized databases residing on the device being managed. Management stations can also receive messages about events, such as hardware failures, which require attention. AgentIn the context of SNMP, the management station is a client and an SNMP agent running on the security appliance is a server. OIDThe SNMP standard assigns a system object ID (OID) so that a management station can uniquely identify network devices with SNMP agents and indicate to users the source of information monitored and displayed. MIBThe agent maintains standardized data structures called Management Information Databases, or MIBs which are compiled into management stations. MIBs collect information, such as packet, connection, and error counters, buffer usage, and failover status. MIBs are defined for specific products, in addition to MIBs for the common protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs or request only specific fields. In some applications, MIB data can be modified for administrative purposes. TrapThe agent also monitors alarm conditions. When an alarm condition defined in a trap occurs, such as a link up, link down, or syslog event, the agent sends notification, also known as SNMP trap, to the designated management station immediately.

SNMP

For Cisco MIB files and OIDs, refer to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. OIDs may be downloaded at this URL: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
MIB Support

The security appliance provides the following SNMP MIB support:

Note

The security appliance does not support browsing of the Cisco syslog MIB.

You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. The Cisco MIB and Cisco Memory Pool MIB are available. The security appliance does not support the following in the Cisco MIB: cfwSecurityNotification NOTIFICATION-TYPE cfwContentInspectNotification NOTIFICATION-TYPE cfwConnNotification NOTIFICATION-TYPE cfwAccessNotification NOTIFICATION-TYPE cfwAuthNotification NOTIFICATION-TYPE cfwGenericNotification NOTIFICATION-TYPE

Cisco ASDM User Guide

8-14

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

SNMP CPU Utilization

The security appliance supports monitoring CPU utilization through SNMP. This feature allows network administrators to monitor security appliance CPU usage using SNMP management software, such as HP OpenView, for capacity planning. This functionality is implemented through support for the cpmCPUTotalTable of the Cisco Process MIB (CISCO-PROCESS-MIB.my). The other two tables in the MIB, cpmProcessTable and cpmProcessExtTable, are not supported in this release. Each row of the cpmCPUTotalTable includes the index of each CPU and the following objects: MIB object name cpmCPUTotalPhysicalIndex cpmCPUTotalIndex cpmCPUTotal5sec cpmCPUTotal1min cpmCPUTotal5min Description The value of this object will be zero because the entPhysicalTable of Entity MIB is not supported on the security appliance SNMP agent. The value of this object will be zero because the entPhysicalTable of Entity MIB is not supported on the security appliance SNMP agent. Overall CPU busy percentage in the last five-second period. Overall CPU busy percentage in the last one-minute period. Overall CPU busy percentage in the last five-minute period.

Note

Because all current security appliance hardware platforms support a single CPU, the security appliance returns only one row from cpmCPUTotalTable and the index is always 1. The values of the last three elements are the same as the output from the show cpu usage command. The security appliance does not support the following new MIB objects in the cpmCPUTotalTable:

cpmCPUTotal5secRev cpmCPUTotal1minRev cpmCPUTotal5minRev

Fields

Community string (default)Enter the password used by the SNMP management station when sending requests to the security appliance. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security appliance uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default is public. SNMPv2c allows separate community strings to be set for each management station. If no community string is configured for any management station, the value set here will be used by default. ContactEnter the name of the security appliance system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Security Appliance LocationSpecify the security appliance location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Listening PortSpecify the port on which SNMP traffic is sent. The default is 161. Configure TrapsLets you configure the events to notify through SNMP traps.

Cisco ASDM User Guide OL-10106-04

8-15

Chapter 8 Device Administration

Configuring Device Properties

SNMP Management Station box:


InterfaceDisplays the security appliance interface name where the SNMP management

station resides.
IP AddressDisplays the IP address of an SNMP management station to which the security

appliance sends trap events and receive requests or polls.


Community stringIf no community string is specified for a management station, the value

set in Community String (default) field will be used.


SNMP VersionDisplays the version of SNMP set on the management station. Poll/TrapDisplays the method for communicating with this management station, poll only,

trap only, or both trap and poll. Polling means that the security appliance waits for a periodic request from the management station. The trap setting sends syslog events when they occur.
UDP PortSNMP host UDP port. The default is port 162.

AddOpens Add SNMP Host Access Entry with these fields: Interface NameSelect the interface on which the management station resides. IP AddressSpecify the IP address of the management station. Server Poll/Trap SpecificationSelect Poll, Trap, or both. UDP PortUDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port. HelpProvides more information. EditOpens the Edit SNMP Host Access Entry dialog box with the same fields as Add. DeleteDeletes the selected item.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SNMP Host Access Entry


Adding SNMP Management Stations

To add SNMP management stations, perform the following steps:


1. 2. 3. 4. 5.

Click Add to open the SNMP Host Access Entry dialog box. From Interface Name, select the interface on which the SNMP management station resides. Enter the IP address of that management station in IP Address. Enter the UDP port for the SNMP host. The default is 162. Enter the Community String password for the SNMP host. If no community string is specified for a management station, the value set in Community String (default) field in the SNMP Configuration screen will be used.

Cisco ASDM User Guide

8-16

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

6. 7.

Click to select Poll, Trap, or both. To return to the previous panel click:

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel HelpProvides more information

Editing SNMP Management Stations

To edit SNMP management stations, perform the following steps:


1. 2. 3. 4. 5.

Select a list item from the SNMP management station table on the SNMP panel. Click Edit to open Edit SNMP Host Access Entry. From Interface Name, select the interface on which the SNMP management station resides. Enter the IP address of that management station in IP Address. Enter the Community String password for the SNMP host. If no community string is specified for a management station, the value set in Community String (default) field in the SNMP Configuration screen will be used. Enter the UDP port for the SNMP host. The default is 162. Click to select Poll, Trap, or both. Select SNMP version. To return to the previous panel click:

6. 7. 8. 9.

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel HelpProvides more information

Deleting SNMP Management Stations

To delete an SNMP management station from the table, perform the following steps:
1. 2.

Select an item from the SNMP management station table on the SNMP panel. Click Delete.

Fields

Interface nameSelect the interface where the SNMP host resides. IP AddressEnter the IP address of the SNMP host. UDP PortEnter the UDP port on which to send SNMP updates. The default is 162. Community StringEnter the community string for the SNMP server. SNMP VersionSelect the SNMP version. Server Port/Trap Specification

PollSelect to send poll information. Polling means that the security appliance waits for a periodic request from the management station. TrapSelect to send trap information. The trap setting sends syslog events when they occur.

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel

Cisco ASDM User Guide OL-10106-04

8-17

Chapter 8 Device Administration

Configuring Device Properties

HelpProvides more information

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SNMP Trap Configuration


Traps

Traps are different than browsing; they are unsolicited comments from the managed device to the management station for certain events, such as link up, link down, and syslog event generated. An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. The security appliance provides system OID in SNMP event traps & SNMP mib-2.system.sysObjectID. The SNMP service running on the security appliance performs two different functions:

Replies to SNMP requests from management stations (also known as SNMP clients). Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance. firewall generic syslog

The security appliance supports 3 types of traps:


Configure Traps

Opens SNMP Trap Configuration with the following fields:

Standard SNMP TrapsSelect standard traps to send:


AuthenticationEnables authentication standard trap. Cold StartEnables cold start standard trap. Link UpEnables link up standard trap. Link DownEnables link down standard trap.

Entity MIB Notifications


FRU InsertEnables a trap notification when a Field Replaceable Unit (FRU) has been

inserted.
FRU RemoveEnables a trap notification when a Field Replaceable Unit (FRU) has been

removed.
Configuration ChangeEnables a trap notification when there has been a hardware change.

IPSec TrapsEnables IPSec traps.

Cisco ASDM User Guide

8-18

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

StartEnables a trap when IPSec starts. StopEnables a trap when IPSec stops.

Remote Access TrapsEnables remote access traps.


Session threshold exceededEnables a trap when the number of remote access session

attempts exceeds the threshold configured.


Enable Syslog trapsEnables sending of syslog messages to SNMP management station. OKAccepts changes and returns to the previous panel. CancelDiscards changes and returns to the previous panel. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TFTP Server
The TFTP Server panel lets you configure the security appliance to save its configuration to a file server using TFTP.

Note

This panel does not write the file to the server. Configure the security appliance for using a TFTP server in this panel, then click File > Save Running Configuration to TFTP Server.
TFTP Servers and the security appliance

TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. This panel lets you configure the security appliance as a TFTP client so that it can transfer a copy of its running configuration file to a TFTP server using File > Save Running Configuration to TFTP Server or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple security appliances. This panel uses the configure net command to specify the IP address of the TFTP server, and the tftp-server command to specify the interface and the path/filename on the server where the running configuration file will be written. Once this information is applied to the running configuration, ASDM File > Save Running Configuration to TFTP Server uses the copy command to execute the file transfer. The security appliance supports only one TFTP server. The full path to the TFTP server is specified in Configuration > Properties > Administration > TFTP Server. Once configured here, you can use a colon (:) to specify the IP address in the CLI configure net and copy commands. However, any other authentication or configuration of intermediate devices necessary for communication from the security appliance to the TFTP server is done apart from this function. The show tftp-server command lists the tftp-server command statements in the current configuration. The no tftp server command disables access to the server.

Cisco ASDM User Guide OL-10106-04

8-19

Chapter 8 Device Administration

Configuring Device Properties

Fields

The TFTP panel provides the following fields:


EnableClick to select and enable these TFTP server settings in the configuration. Interface NameSelect the name of the security appliance interface which will use these TFTP server settings. IP AddressEnter the IP address of the TFTP server. PathType in the TFTP server path, beginning with / (forward slash) and ending in the file name, to which the running configuration file will be written. Example TFTP server path: /tftpboot/security appliance/config3

Note

The path must begin with a forward slash (/).

For More Information

For more information about TFTP, refer to the security appliance Technical Documentation for your version of software.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

User Accounts
The User Accounts panel lets you manage the local user database. The local database is used for the following features:

ASDM per-user access By default, you can log into ASDM with a blank username and the enable password (see Password). However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a match.

Note

Although you can configure HTTP authentication using the local database (see the Authentication Tab), that functionality is always enabled by default. You should only configure HTTP authentication if you want to use a RADIUS or TACACS+ server for authentication. Console authentication (see the Authentication Tab) Telnet and SSH authentication (see the Authentication Tab) enable command authentication (see the Authentication Tab) This setting is for CLI-access only and does not affect the ASDM login. Command authorization (see the Authorization Tab)

Cisco ASDM User Guide

8-20

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

If you enable command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.

Note

If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. Without command authorization, users can access privileged mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication for console access so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged mode. Network access authentication VPN client authentication

You cannot use the local database for network access authorization. For multiple context mode, you can configure usernames in the system execution space to provide individual logins at the CLI using the login command; however, you cannot configure any aaa commands that use the local database in the system execution space.

Note

VPN functions are not supported in multimode. To configure the enable password from this panel (instead of in Password), change the password for the enable_15 user. The enable_15 user is always present in this panel, and represents the default username. This method of configuring the enable password is the only method available in ASDM for the system configuration. If you configured other enable level passwords at the CLI (enable password 10, for example), then those users are listed as enable_10, etc.
Fields

User NameSpecifies the user name to which these parameters apply. Privilege (Level)Specifies the privilege level assigned to that user. The privilege level is used with local command authorization. See the Authorization Tab for more information. VPN Group PolicySpecifies the name of the VPN group policy for this user. Not available in multimode. VPN Group LockSpecifies what, if any, group lock policy is in effect for this user. Not available in multimode. AddDisplays the Add User Account dialog box. EditDisplays the Edit User Account dialog box. DeleteRemoves the selected row from the table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

8-21

Chapter 8 Device Administration

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > Identity Tab


Use this tab to specify parameters that identify the user account you want to add or change. The changes appear in the User Accounts table as soon as you click OK.
Fields

UsernameSpecifies the username for this account. PasswordSpecifies the unique password for this user. The minimum password length is 4 characters. The maximum is 32 characters. Entries are case-sensitive. The field displays only asterisks.

Note

To protect security, we recommend a password length of at least 8 characters. Confirm PasswordAsks you to re-enter the user password to verify it. The field displays only asterisks. Privilege LevelSelects the privilege level for this user to use with local command authorization. The range is 0 (lowest) to 15 (highest). See the Authorization Tab for more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > VPN Policy Tab


Use this tab to specify VPN policies for this user. Check an Inherit check box to let the corresponding setting take its value from the group policy.
Fields

Group PolicyLists the available group policies. Tunneling ProtocolsSpecifies what tunneling protocols that this user can use, or whether to inherit the value from the group policy. Check the desired Tunneling Protocols check boxes to select the VPN tunneling protocols that this user can use. Users can use only the selected protocols. The choices are as follows:

Cisco ASDM User Guide

8-22

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

IPSecIP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. WebVPNVPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. L2TP over IPSecAllows remote users with VPN clients provided with several common PC and mobile PC operating systems to establish secure connections over the public IP network to the security appliance and private corporate networks.

Note

If no protocol is selected, an error message appears.

FilterSpecifies what filter to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Configuration > VPN > VPN General > Group Policy panel. ManageDisplays the ACL Manager panel, on which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). Tunnel Group LockSpecifies whether to inherit the tunnel group lock or to use the selected tunnel group lock, if any. Selecting a specific lock restricts users to remote access through this group only. Tunnel Group Lock restricts users by checking if the group configured in the VPN client is the same as the users assigned group. If it is not, the security appliance prevents the user from connecting. If the Inherit check box is not selected, the default value is --None--. Store Password on Client SystemSpecifies whether to inherit this setting from the group. Deselecting the Inherit check box activates the Yes and No radio buttons. Selecting Yes stores the login password on the client system (potentially a less-secure option). Selecting No (the default) requires the user to enter the password with each connection. For maximum security, we recommend that you not do allow password storage. This parameter has no bearing on interactive hardware client authentication or individual user authentication for a VPN 3002. Connection SettingsSpecifies the connection settings parameters.
Access HoursIf the Inherit check box is not selected,you can select the name of an existing

access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.
NewOpens the Add Time Range dialog box, on which you can specify a new set of access

hours.
Simultaneous LoginsIf the Inherit check box is not selected, this parameter specifies the

maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.

Note

While there is no maximum limit, allowing several simultaneous connections could compromise security and affect performance.

Cisco ASDM User Guide OL-10106-04

8-23

Chapter 8 Device Administration

Configuring Device Properties

Maximum Connect TimeIf the Inherit check box is not selected, this parameter specifies the

maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, select the Unlimited check box (the default).
Idle TimeoutIf the Inherit check box is not selected, this parameter specifies this users idle

timeout period in minutes. If there is no communication activity on the users connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. This value does not apply to WebVPN users.

Dedicated IP Address (Optional)


IP Address boxSpecifies the optional Dedicated IP address. Subnet Mask listSpecifies the subnet mask for the Dedicated IP address.

Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the users assigned group. If it is not, the VPN Concentrator prevents the user from connecting. If this box is unchecked (the default), the system authenticates a user without regard to the users assigned group.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > WebVPN Tab


The Add or Edit User Account panel, WebVPN tab, displays six tabs that let you configure WebVPN attributes for users.
Fields

InheritIndicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. FunctionsConfigures the features available to WebVPN users.
Enable URL entryPlaces the URL entry box on the home page. If this feature is enabled,

users can enter web addresses in the URL entry box, and use WebVPN to access those websites. Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote users PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In a WebVPN connection, the security appliance acts as a proxy between the end users web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the servers SSL certificate. The end users browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit

Cisco ASDM User Guide

8-24

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.
Enable file server accessEnables Windows file access (SMB/CIFS files only) through

HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in Servers and URLs group box. To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing parameters. Users can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements. File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.

Note

Note File access is not supported in an Active Native Directory environment when used with

Dynamic DNS. It is supported if used with a WINS server.


Enable file server entry Places the file server entry box on the portal page. File server access

must be enabled. With this box selected, users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.
Enable file server browsing Lets users browse the Windows network for

domains/workgroups, servers and shares. File server access must be enabled. With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.
Enable port forwardingWebVPN Port Forwarding provides access for remote users in the

group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.

Note

Port Forwarding does not work with some SSL/TLS versions. With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems.

Cisco ASDM User Guide OL-10106-04

8-25

Chapter 8 Device Administration

Configuring Device Properties

Note

When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browsers keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

Enable Outlook/Exchange proxyEnables the use of the Outlook/Exchange e-mail proxy. Apply Web-type ACL Applies the WebVPN Access Control List defined for the users of this

group.
Enable HTTP ProxyEnables the forwarding of an HTTP applet proxy to the client. The proxy

is useful for technologies that interfere with proper mangling, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browsers old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Content FilteringBlocks or removes the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.
Filter Java/ActiveX Removes <applet>, <embed> and <object> tags from HTML. Filter scriptsRemoves <script> tags from HTML. Filter imagesRemoves <img> tags from HTML. Removing images dramatically speeds the

delivery of web pages.


Filter cookies from imagesRemoves cookies that are delivered with images. This may

preserve user privacy, because advertisers use cookies to track visitors.

HomepageConfigures what, if any, home page to use.


Specify URLIndicates whether the subsequent fields specify the protocol, either http or https,

and the URL of the Web page to use as the home page.
ProtocolSpecifies whether to use http or https as the connection protocol for the home page. ://Specifies the URL of the Web page to use as the home page. Use noneSpecifies that no home page is configured.

Port ForwardingConfigures port forwarding parameters.


Port Forwarding ListSpecifies whether to inherit the port forwarding list from the default

group policy, select one from the list, or create a new port forwarding list.
NewDisplays a new panel on which you can add a new port forwarding list. See the

description of the Add/Edit Port Forwarding List panel.


Applet NameSpecifies whether to inherit the applet name or to use the name specified in the

box. Specify this name to identify port forwarding to end users. The name you configure displays in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users.The default applet name is Application Access.

OtherConfigures servers and URL lists and the Web-type ACL ID.
Servers and URL ListsSpecifies whether to inherit the list of Servers and URLs, to select

and existing list, or to create a new list.

Cisco ASDM User Guide

8-26

OL-10106-04

Chapter 8

Configuring Device Properties Device Administration

NewDisplays a new panel on which you can add a new port forwarding list. Web-Type ACL IDSpecifies the identifier of the Web-Type ACL to use.

SSL VPN Client tablets you configure the security appliance to download SSL VPN clients (SVCs) to remote computer. SVC is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance. To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation. After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates. The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system.
InheritIndicates that the corresponding setting takes its value from the default group policy,

rather than from the explicit specifications that follow.


Keep Installer on Client SystemEnables permanent SVC installation and disables the

automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user.
Keepalive MessagesAdjusts the frequency of keepalive messages, in the range of 15 to 600

seconds. The default is keepalive messages are disabled. You can adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
CompressionEnables compression on the SVC connection. By default, compression is

enabled. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.
Rekey Negotiation Settings group boxWhen the security appliance and the SVC perform a

rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection. Renegotiation Interval specifies the number of minutes from the start of the session until the rekey takes place, from 1 to 10080 (1 week).

Cisco ASDM User Guide OL-10106-04

8-27

Chapter 8 Auto Update

Configuring Device Properties

Renegotiation Method specifies whether the SVC establishes a new tunnel during SVC rekey. If you check none, SVC rekey is disabled. If you check ssl, SSL renegotiation takes place during SVC rekey.
Dead Peer DetectionDead Peer Detection (DPD) ensures that the security appliance

(gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed. Gateway Side Detection enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance performs DPD. If you check disable, DPD performed by the security appliance is disabled. Client Side Detection enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds, with which the SVC performs DPD. If you check disable, DPD performed by the SVC is disabled
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Auto Update
The Auto Update pane lets you configure the security appliance to be managed remotely from servers that supports the Auto Update specification. Auto Update lets you apply configuration changes to the security appliance and receive software updates from remote locations. Auto Update is useful in solving many of the challenges facing administrators for security appliance management:

Overcomes dynamic addressing and NAT challenges. Gives ability to commit configuration changes in one atomic action. Provides a reliable method for updating software. Leverages well understood methods for high scalability. Open interface gives developers tremendous flexibility. Simplifies security solutions for Service Provider environments. High reliability, rich security/management features, broad support by many products.

Introduction to Auto Update

The Auto Update specification provides the infrastructure necessary for remote management applications to download security appliance configurations, software images, and to perform basic monitoring from a centralized location or multiple locations.

Cisco ASDM User Guide

8-28

OL-10106-04

Chapter 8

Configuring Device Properties Auto Update

The Auto Update specification allows the Auto Update server to either push configuration information and send requests for information to the security appliance, or to pull configuration information by causing the security appliance to periodically poll the Auto Update server. The Auto Update server can also send a command to the security appliance to send an immediate polling request at any time. Communication between the Auto Update server and the security appliance requires a communications path and local CLI configuration on each security appliance. The Auto Update feature on the security appliance can be used with Cisco security products, as well as products from third-party companies that want to manage the security appliance.
Important Notes

If the security appliance configuration is updated from an Auto Update server, ASDM is not notified. You must choose Refresh or File > Refresh ASDM with the Running Configuration on the Device to get the latest configuration, and any changes to the configuration made in ASDM will be lost. If HTTPS is chosen as the protocol to communicate with the Auto Update server, the security appliance will use SSL. This requires the security appliance to have a DES or 3DES license.

Fields

The Auto Update pane consists of an Auto Update Servers table and two areas: the Timeout area, and the Polling area. The Auto Update Servers table lets you view the parameters of previously-configured Auto Update servers. The security appliance polls the server listed at the top of the table first. You can change the position of the servers in the table with the Move Up and Move Down buttons. The Auto Update Servers table contains the following columns:

ServerThe name or IP address of the Auto Update server. User NameThe user name used to access the Auto Update server. InterfaceThe interface used when sending requests to the Auto Update server. Verify CertificateIndicates whether the security appliance checks the certificate returned by the Auto Update server against the Certification Authority (CA) root certificates. This requires that the Auto Update server and the security appliance use the same CA.

Double-clicking any of the rows in the Auto Update Server table opens the Edit Auto Update Server dialog, in which you can modify the Auto Update server parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration. The Timeout area lets you set the amount of time the security appliance waits for the Auto Update server to timeout. The Timeout area contains the following fields:

Enable Timeout PeriodCheck to enable the security appliance to timeout if no response is received from the Auto Update server. Timeout Period (Minutes)Enter the number of minutes the security appliance will wait to timeout if no response is received from the Auto Update server.

The Polling area lets you configure how often the security appliance will poll for information from the Auto Update server. The Polling area contains the following fields:

Polling Period (minutes)The number of minutes the security appliance will wait to poll the Auto Update server for new information. Poll on Specified DaysAllows you to specify a polling schedule. Set Polling ScheduleDisplays the Set Polling Schedule dialog where you can configure the days and time-of-day to poll the Auto Update server.

Cisco ASDM User Guide OL-10106-04

8-29

Chapter 8 Auto Update

Configuring Device Properties

Retry Period (minutes)The number of minutes the security appliance will wait to poll the Auto Update server for new information if the attempt to poll the server fails. Retry CountThe number of times the security appliance will attempt to retry to poll the Auto Update server for new information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Set Polling Schedule


The Set Polling Schedule dialog lets you configure specific days, and the time-of-day for the security appliance to poll the Auto Update server.
Fields

The Set Polling Schedule dialog contains the following fields: Days of the WeekCheck the days of the week that you want the security appliance to poll the Auto Update server. The Daily Update Window group lets you configure the time of day when you want the security appliance to poll the Auto Update server, and contains the following fields:

Start TimeEnter the hour and minute to begin the Auto Update poll. Enable RandomizeCheck to enable the security appliance to randomly choose a time to poll the Auto Update server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Auto Update Server


The Edit Auto Update Server dialog contains the following fields:

URLThe protocol the Auto Update server uses to communicate with the security appliance, either http or https, and the path to the Auto Update server. InterfaceThe interface to use when sending requests to the Auto Update server.

Cisco ASDM User Guide

8-30

OL-10106-04

Chapter 8

Configuring Device Properties Auto Update

Verify CertificateSelect to enable the security appliance to verify the certificate returned by the Auto Update server against the Certification Authority (CA) root certificates. This requires that the Auto Update server and the security appliance use the same CA. User Name (Optional)Enter the user name needed to access the Auto Update server. PasswordEnter the user password for the Auto Update server. Confirm PasswordReenter the user password for the Auto Update server.

The User area contains the following fields:


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Advanced Auto Update Settings


Fields

Use Device ID to uniquely identify the ASAEnables authentication using a Device ID. The Device ID is used to uniquely identify the security appliance to the Auto Update server. Device IDType of Device ID to use.
HostnameThe name of the host. Serial NumberDevice serial number. IP Address on interfaceThe IP address of the selected interface, used to uniquely identify the

security appliance to the Auto Update server.


MAC Address on interfaceThe MAC address of the selected interface, used to uniquely

identify the security appliance to the Auto Update server.


User-defined valueA unique user ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

8-31

Chapter 8 Client Update

Configuring Device Properties

Client Update
The Client Update pane lets you configure the parameters of Auto Update clients associated with the security appliance when it is configured as an Auto Update server. As an Auto Update server, you can specify the platform and asdm images for security appliances configured as Auto Update clients, including image revision numbers and locations, according to the device ID, device family, or device type of the client.
Introduction to Auto Update Server and Client Update

The Auto Update specification provides the infrastructure necessary for remote management applications to download security appliance configurations, software Images, and to perform basic monitoring from a centralized location. As an Auto Update server, the specification allows the Auto Update server to either push configuration information and send requests for information to the security appliance, or to pull configuration information by causing the security appliance to periodically poll the Auto Update server. The Auto Update server can also send a command to the security appliance to send an immediate polling request at any time. Communication between the Auto Update server and the security appliance requires a communications path and local CLI configuration on each security appliance.
Fields

The Client Update pane consists of the following fields:


Enable Client UpdateCheck to allow the security appliance to update the images used by other security appliances that are configured as Auto Update clients. Client Images tablelets you view previously-configured Client Update entries and includes the following columns:
DeviceDisplays a text string corresponding to a device-id of the client. Device FamilyDisplays the family name of a client, either asa, pix, or a text string. Device TypeDisplays the type name of a client. Image TypeSpecifies the type of image, either ASDM image or Boot image. Image URLSpecifies the URL for the software component. Client RevisionSpecifies the revision number(s) of the software component.

Double-clicking any of the rows in the Client Images table opens the Edit Client Update Entry dialog, in which you can modify the client parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration.

Live Client Update areaLets you immediately update Auto Update clients that are currently connected to the security appliance through a tunnel.
Tunnel GroupSelect all to update all Auto Update clients connected over all tunnel groups,

or specify a tunnel group for clients that you want to update.


Update NowClick to begin an immediate update.

Note

Live Client Update is only available when the security appliance is configured in routed mode.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

8-32

OL-10106-04

Chapter 8

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Client Update


Fields

The Add/Edit Client Update dialog displays the following fields:

Device Identification group:


Device IDEnable if the client is configured to identify itself with a unique string, and specify

the same string that the client uses. The maximum length is 63 characters.
Device FamilyEnable if the client is configured to identify itself by device family, and specify

the same same device family that the client uses. It can be asa, pix, or a text string with a maximum length of 7 characters.
Device TypeEnable if the client is configured to identify itself by device type, and specify the

same device type that the client uses. It can be pix-515, pix-515e, pix-525, pix-535, asa5505, asa5510, asa5520, or asa5540. It can also be a text string with a maximum length of 15 characters.
Not SpecifiedSelect for clients that do not match the above.

Image TypeSpecifies an image type, either ASDM or boot image. This URL must point to a file appropriate for this client. Maximum length of 255 characters. Client RevisionSpecifies a text string corresponding to the revision number(s) of the software component. For example: 7.1(0)22. Image URLSpecifies the URL for the software component. This URL must point to a file appropriate for this client.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

8-33

Chapter 8

Configuring Device Properties

Cisco ASDM User Guide

8-34

OL-10106-04

CH A P T E R

DHCP and DNS Services


A DHCP server provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. The Domain Name System (DNS) is the system in the Internet that maps names of objects (usually host names) into IP numbers or other resource record values. The namespace of the Internet is divided into domains, and the responsibility for managing names within each domain is delegated, typically to systems within each domain. DNS client services allows you to specify DNS servers to which the security appliance sends DNS requests, request timeout period, and other parameters. Dynamic DNS (DDNS) update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and automates IP address allocation; DDNS update automatically records the association between assigned addresses and host names at pre-defined intervals. DDNS allows frequently changing address-host name associations to be updated frequently. Mobile hosts, for example, can then move freely on a network without user or administrator intervention. For information about configuring these services, see the following topics:

DHCP Relay DHCP Server DNS Client Dynamic DNS

DHCP Relay
The DHCP Relay pane lets you configure DHCP relay services on the security appliance. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. To configure DHCP relay, you need to specify at least one DHCP relay server and then enable a DHCP relay agent on the interface receiving DHCP requests.
Restrictions

You cannot enable a DHCP relay agent on an interface that has a DHCP relay server configured for it. The DHCP relay agent works only with external DHCP servers; it will not forward DHCP requests to a security appliance interface configured as a DHCP server.

Cisco ASDM User Guide OL-10106-04

9-1

Chapter 9 DHCP Relay

DHCP and DNS Services

Prerequisites

Before you can enable a DHCP relay agent on an interface, you must have at least one DHCP relay server in the configuration.
Fields

DHCP Relay AgentDisplay only. Contains the fields for configuring the DHCP relay agent.
InterfaceDisplays the interface ID. Double-clicking an interface opens the Edit DHCP Relay

Agent Settings dialog box, where you can enable the DHCP relay agent and configure the relay agent parameters.
DHCP Relay EnabledIndicates whether the DHCP relay agent is enabled on the interface.

This column displays Yes if the DHCP relay agent is enabled or No if the DHCP relay agent is not enabled on the interface.
Set RouteIndicates whether the DHCP relay agent is configured to modify the default router

address in the information returned from the DHCP server. This column display Yes if the DHCP relay agent is configured to change the default router address to the interface address or No if the DHCP relay agent does not modify the default router address.
EditOpens the Edit DHCP Relay Agent Settings dialog box, where you can enable the DHCP

relay agent and configure the relay agent parameters.

DHCP Relay ServerContains the fields for configuring the DHCP relay servers.
TimeoutSpecifies the amount of time, in seconds, allowed for DHCP address negotiation.

Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
ServerDisplay only. Displays the IP address of a configured, external DHCP server.

Double-clicking a server address opens the DHCP Relay - Edit DHCP Server dialog box, where you can edit the DHCP relay server settings.
InterfaceDisplay only. Display the interface the specified DHCP server is attached to. AddOpens the DHCP Relay - Add DHCP Server dialog box, where you can specify a new

DHCP relay server. You can define up to 4 DHCP relay servers on the security appliance. This button is unavailable if you already have 4 DHCP relay servers defined.
EditOpens the DHCP Relay - Edit DHCP Server dialog box, where you can edit the DHCP

relay server settings.


DeleteRemoves the selected DHCP relay server. The server is removed from the security

appliance configuration when you apply or save your changes.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

9-2

OL-10106-04

Chapter 9

DHCP and DNS Services DHCP Relay

Edit DHCP Relay Agent Settings


You can enable the DHCP relay agent and configure the relay agent parameters for the selected interface in the Edit DHCP Relay Agent Settings dialog box.
Restrictions

You cannot enable a DHCP relay agent on an interface that has a DHCP relay server configured for it. You cannot enable a DHCP relay agent on a security appliance that has DHCP server configured on an interface.

Prerequisites

Before you can enable a DHCP relay agent on an selected interface, you must have at least one DHCP relay server in the configuration.
Fields

Enable DHCP Relay AgentWhen checked, enables the DHCP relay agent on the selected interface. You must have a DHCP relay server defined before enabling the DHCP relay agent. Set RouteSpecifies whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. When this check box is checked, the DHCP relay agent substitutes the address of the selected interface for the default router address in the information returned from the DHCP server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DHCP Relay - Add/Edit DHCP Server


Define new DHCP relay servers in the DHCP Relay - Add DHCP Server dialog box or edit exiting server information in the DHCP Relay - Edit DHCP Server dialog box. You can define up to 4 DHCP relay servers.
Restrictions

You cannot define a DHCP relay server on an interface with a DHCP server enabled on it.
Fields

DHCP ServerSpecifies the IP address of the external DHCP server to which DHCP requests are forwarded. InterfaceSpecifies the interface through which DHCP requests are forwarded to the external DHCP server.

Cisco ASDM User Guide OL-10106-04

9-3

Chapter 9 DHCP Server

DHCP and DNS Services

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DHCP Server
The DHCP Server pane lets you configure the security appliance interfaces as DHCP servers. You can configure one DHCP server per interface on the security appliance.

Note

You cannot configure a DHCP server on an interface that has DHCP relay configured on it. For more information about DHCP relay, see DHCP Relay.
Fields

InterfaceDisplay only. Displays the interface ID. Double-clicking an interface ID opens the Edit DHCP Server dialog box, where you can enable DHCP on and assign a DHCP address pool to the selected interface. DHCP EnabledDisplay only. Indicates whether DHCP is enabled on the interface. This column displays Yes if DHCP is enabled or No if DHCP is not enabled on the interface. Address PoolDisplay only. Displays the range of IP addresses assigned to the DHCP address pool. DNS ServersDisplay only. Displays the DNS servers configured for the interface. WINS ServersDisplay only. Displays the WINS servers configured for the interface. Domain NameDisplay only. Displays the domain name of the interface. Ping TimeoutDisplay only. Displays time in milliseconds that the security appliance will wait for an ICMP ping response on the interface. Lease LengthDisplay only. Displays the duration of time that the DHPC server configured on the interface allows DHCP clients to use the an assigned IP address. Auto InterfaceDisplay only. Displays the interface on a DHCP client providing DNS, WINS, and domain name information for automatic configuration. OptionsDisplay only. Displays advanced DHCP options configured for the interface. Dynamic DNS SettingsDisplay only. Displays EditOpens the Edit DHCP Server dialog box for the selected interface. You can enable DHCP and specify the DHCP address pool in the Edit DHCP Server dialog box. Other DHCP OptionsContains optional DHCP parameters.
Enable Autoconfiguration on interfaceCheck to enable DHCP auto configuration and select

the interface from the menu.

Cisco ASDM User Guide

9-4

OL-10106-04

Chapter 9

DHCP and DNS Services DHCP Server

DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If any of the information obtained through auto configuration is also specified manually in the Other DHCP Options area, the manually specified information takes precedence over the discovered information.
DNS Server 1(Optional) Specifies the IP address of the primary DNS server for a DHCP

client.
DNS Server 2(Optional) Specifies the IP address of the alternate DNS server for a DHCP

client.
Domain Name(Optional) Specifies the DNS domain name for DHCP clients. Enter a valid

DNS domain name, for example example.com.


Lease Length(Optional) Specifies the amount of time, in seconds, that the client can use its

allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Primary WINS Server(Optional) Specifies the IP address of the primary WINS server for a

DHCP client.
Secondary WINS Server(Optional) Specifies the IP address of the alternate WINS server for

a DHCP client.
Ping Timeout(Optional) To avoid address conflicts, the security appliance sends two ICMP

ping packets to an address before assigning that address to a DHCP client. The Ping Timeout field specifies the amount of time, in milliseconds, that the security appliance waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
AdvancedOpens the Advanced DHCP Options dialog box, where you can specify DHCP

options and their parameters.

Dynamic DNS Settings for DHCP ServerIn this area, you can configure the DDNS update settings for the DHCP server.
Update DNS ClientsCheck to specify that, besides the default action of updating the client

PTR resource records, the DHCP server should also perform the following update actions (if selected):
Update Both RecordsCheck to specify that the DHCP server should update both the A and

PTR RRs.
Override Client SettingsCheck to specify that the DHCP server actions should override any

update actions requested by the DHCP client.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

9-5

Chapter 9 DHCP Server

DHCP and DNS Services

Edit DHCP Server


You can enable DHCP and specify the DHCP address pool for the selected interface in the Edit DHCP Server dialog box.
Fields

Enable DHCP ServerCheck this check box to enable the DHCP server on the selected interface. Uncheck this check box to disable DHCP on the selected interface. Disabling the DHCP server on the selected interface does not clear the specified DHCP address pool. DHCP Address PoolEnter the IP address pool used by the DHCP server. Enter the range of IP addresses from lowest to highest. The range of IP addresses must be on the same subnet as the selected interface and cannot contain the IP address of the interface itself. Optional ParametersYou can optionally configure the following parameters for the DHCP server:
DNS Server 1Enter the IP address of the primary DNS server for a DHCP client. DNS Server 2 Enter the IP address of the alternate DNS server for a DHCP client. Domain NameEnter the DNS domain name for DHCP clients. Enter a valid DNS domain

name, for example example.com.


Lease LengthEnter the amount of time, in seconds, that the client can use its allocated IP

address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Primary WINS ServerEnter the IP address of the primary WINS server for a DHCP client. Secondary WINS ServerEnter the IP address of the alternate WINS server for a DHCP client. Ping TimeoutEnter the amount of time, in milliseconds, that the security appliance waits to

time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
Enable Autoconfiguration on interfaceCheck to enable DHCP auto configuration and select

the interface from the menu.


AdvancedOpens the Advanced DHCP Options dialog box, where you can specify DHCP

options and their parameters.

Dynamic DNS Settings for DHCP ServerIn this area, you can configure the DDNS update settings for the DHCP server.
Update DNS ClientsCheck to specify that, besides the default action of updating the client

PTR resource records, the DHCP server should also perform the following update actions (if selected):
Update Both RecordsCheck to specify that the DHCP server should update both the A and

PTR RRs.
Override Client SettingsCheck to specify that DHCP server actions should override any

update actions requested by the DHCP client.


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

9-6

OL-10106-04

Chapter 9

DHCP and DNS Services DHCP Server

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced DHCP Options


The Advanced DHCP Options dialog box lets you configure DHCP option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers. You can use that advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients. You can also use the DHCP auto configuration setting to obtain these values or manually specify them on the DHCP Server pane. When you use more than one method to specify this information, the information is passed to DHCP clients with the following preference:
1. 2. 3.

Manually configured settings. Advanced DHCP Options settings. DHCP auto configuration.

For example, you can manually define the domain name that you want the DHCP clients to receive, and then enable DHCP auto configuration. Although DHCP auto configuration will discover the domain along with the DNS and WINS servers, the manually-defined domain name is passed to DHCP clients with the discovered DNS and WINS server names. The domain name discovered by the DHCP auto configuration process is discarded in favor of the manually-defined domain name.
Fields

Option to be AddedContains the fields used to configure a DHCP option.


Choose the option codeLists the available option codes. All DHCP options (options 1 through

255) are supported except 1, 12, 5054, 5859, 61, 67, and 82. Choose the option that you want to configure. Some options are standard. For standard options, the option name is shown in parentheses after the option number and the option parameters are limited to those supported by the option. For all other options, only the option number is shown and you must choose the appropriate parameters to supply with the option. For standard DHCP options, only the supported option value type is available. For example, if you choose DHCP Option 2 (Time Offset), you can only supply a hexadecimal value for the option. For all other DHCP options, all of the option value types are available and you must choose the appropriate options value type.

Option DataThese options specify the type of information the option returns to the DHCP client. For standard DHCP options, only the supported option value type is available. For all other DHCP options, all of the option value types are available. IP AddressChoosing this value specifies that an IP address is returned to the DHCP client. You can specify up to two IP addresses.

Cisco ASDM User Guide OL-10106-04

9-7

Chapter 9 DHCP Server

DHCP and DNS Services

Note

The name of the associated IP Address fields can change based on the DHCP option you chose. For example, if you choose DHCP Option 3 (Router), the fields change name to Router 1 and Router 2.

IP Address 1An IP address in dotted-decimal notation. IP Address 2(Optional) An IP address in dotted-decimal notation.

ASCIIChoose this option specifies that an ASCII value is returned to the DHCP client.

Note

The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 14 (Merit Dump File), the associated Data field changes name to File Name.

DataAn ASCII character string. The string cannot include white space.

HexSelecting this option specifies that a hexadecimal value is returned to the DHCP client.

Note

The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 2 (Time Offset), the associated Data field becomes the Offset field.

DataA hexadecimal string with an even number of digits and no spaces. You do not need to

use a 0x prefix.

AddAdds the configured option to the DHCP option table. DeleteRemoves the selected option from the DHCP option table. DHCP option tableLists the DHCP options that have been configured.
Option CodeShows the DHCP option code. For standard DHCP options, the option name

appears in parentheses next to the option code.


Option DataShows the parameters that have been configured for the selected option.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide

9-8

OL-10106-04

Chapter 9

DHCP and DNS Services DNS Client

DNS Client
The DNS Client pane shows the DNS server groups and DNS lookup information for the security appliance, so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution. In those cases, you must enter the IP address or manually resolve the name to an IP address by adding the server name in the Network Objects/Groups pane.
Fields

DNS Server GroupsDisplays and manages the DNS server list. There can be up to six addresses to which DNS requests can be forwarded. The security appliance tries each DNS server in order until it receives a response. You must enable DNS on at least one interface in the DNS Lookup area before you can add a DNS server. The contents of the table in this area are as follows:
NameDisplay only. Shows the name of each configured DNS server group. ServersDisplay only. Shows the IP addresses of the configured servers. TimeoutDisplay only. Shows the number of seconds to wait before trying the next DNS server

in the list, between 1 and 30 seconds. The default is 2 seconds. Each time the security appliance retries the list of servers, this timeout doubles.
RetriesDisplay only. Shows the number of seconds to wait before trying the next DNS server

in the list.
Domain NameDisplay only. Shows the number of times the security appliance retries the

request.

DNS LookupEnables or disables DNS lookup on an interface.


InterfaceDisplay only. Lists all interface names. DNS EnabledDisplay only. Shows whether an interface supports DNS lookup, Yes or No. DisableDisables DNS lookup for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Server Group


The Add or Edit DNS Server Group pane lets you specify or modify one or more DNS servers for the security appliance so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration (See Add/Edit Trustpoint Configuration > Enrollment Settings Tab and Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab). Other features that define server names (such as AAA) do not support DNS resolution. For those, you must enter the IP address or manually resolve the name to an IP address by adding the server name in the Network Objects/Groups pane.

Cisco ASDM User Guide OL-10106-04

9-9

Chapter 9 Dynamic DNS

DHCP and DNS Services

Fields

NameSpecifies the server name. For the Edit function, this field is Display only. DNS ServersManages the DNS server list. You can specify up to six addresses to which DNS requests can be forwarded. The security appliance tries each DNS server in order until it receives a response. You must enable DNS on at least one interface in the DNS Lookup area before you can add a DNS server.
Server to be AddedSpecifies the DNS server IP address. AddAdds a DNS server to the bottom of the list. DeleteDeletes the selected DNS server from the list. ServersDisplay only. Shows the DNS server list. Move UpMoves the selected DNS server up the list. Move downMoves the selected DNS server down the list.

TimeoutSpecifies the number of seconds to wait before trying the next DNS server in the list, between 1 and 30 seconds. The default is 2 seconds. Each time the security appliance retries the list of servers, this timeout doubles. RetriesSets the number of times the security appliance retries the request. The range is 1 through 10 retries. Domain Name(Optional) Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example example.com.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Dynamic DNS
Dynamic DNS provides address and domain name mappings so hosts can find each other even though their DHCP-assigned IP addresses change frequently. The DDNS name and address mappings are held on the DHCP server in two resource records: the A RR contains the name to IP address mapping while the PTR RR maps addresses to names. Of the two methods for performing DDNS updatesthe IETF standard defined by RFC 2136 and a generic HTTP methodthe security appliance supports the IETF method in this release. The Dynamic DNS pane shows the configured DDNS update methods and the interfaces configured for DDNS. By automatically records the association between assigned addresses and host names at pre-defined intervals, DDNS allows frequently changing address-host name associations to be updated frequently. Mobile hosts, for example, can then move freely on a network without user or administrator intervention.

Cisco ASDM User Guide

9-10

OL-10106-04

Chapter 9

DHCP and DNS Services Dynamic DNS

Fields

Update MethodsLists the DDNS update methods that are configured on the security appliance. This table includes:
Method NameDisplay only. Shows the user-defined name for the DDNS update method. IntervalDisplay only. Shows the time between DNS update attempts configured for the update

method.
Update DNS Server RecordsDisplay only. Shows whether the method updates both the A

resource record (name to IP address) and the PTR resource record (IP address to name), or neither record.
Add/EditDisplays the Add/Edit Dynamic DNS Update Methods dialog box. DeleteRemoves the currently selected update method from the table.

Dynamic DNS Interface SettingsLists the DDNS settings for each interface configured for DDNS.
InterfaceDisplay only. Shows the names of the security appliance interfaces configured for

DDNS.
Method NameDisplay only. Shows the update methods assigned to each interface. Hostname Display only. Shows the hostname of the DDNS client. Update DHCP Server RecordsDisplay only. Shows whether the interface updates both the A

and PTR resource records or neither.


Add/EditDisplays the Add/Edit Dynamic DNS Interface Settings dialog box. DeleteRemoves the DDNS update settings for the selected interface.

DHCP Clients Update DNS RecordsThis is the global setting specifying which records the DHCP client requests to be updated by the DHCP server. Click one of the following radio buttons:
Default (PTR Records) to specify that the client request PTR record updating by the server

or
Both (PTR Records and A Records) to specify that the client request both the A and PTR DNS

resource records by the server or


None to specify that the client request no updates by the server

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic DNS Update Methods

Cisco ASDM User Guide OL-10106-04

9-11

Chapter 9 Dynamic DNS

DHCP and DNS Services

The Add/Edit Dynamic DNS Update Methods dialog box lets you add a new method or edit a previously added method. You can specify the method name (if adding a method), specify the interval between DDNS update attempts, and specify whether the DDNS client attempts to update both or neither of the two DNS records, the A record and the PTR record.
Fields

NameIf you are adding a method, enter then name of the new method in this field. If you are editing an existing method, this field is display-only and shows the name of the method selected for editing. Update IntervalSpecifies the time to elapse between update attempts. The interval ranges from 0 to nearly one year.
DaysChoose the number of days between update attempts from 0 to 364. HoursChoose the number of hours (in whole numbers) between update attempts from 0 to 23. MinutesChoose the number of minutes (in whole numbers) between update attempts from 0

to 59.
SecondsChoose the number of minutes (in whole numbers) between update attempts from 0

to 59.
Update RecordsClick Both (A and PTR Records) for the client to attempt updates to both the

A and PTR DNS resource records, or click A Records Only to update just the A records. This is the individual method setting for DNS server records updated by the client. These units are additive. That is, if you enter 0 days, 0 hours, 5 minutes and 15 seconds, the update method will attempt an update every 5 minutes and 15 seconds for as long as the method is active.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic DNS Interface Settings


The Add/Edit Dynamic DNS Interface Settings allows you to configure DDNS on a security appliance interface. You can assign an update method, specify the hostname, and configure DHCP server updating of both the A and PTR records by the client or neither.
Fields

InterfaceChoose an interface on which to configure DDNS from the menu. Update MethodChoose an available DDNS update method from the menu. HostnameEnter the hostname of the DDNS client.

Cisco ASDM User Guide

9-12

OL-10106-04

Chapter 9

DHCP and DNS Services Dynamic DNS

DHCP ClientThis area allows you to specify that the DHCP client updates both the A and PTR DNS records or neither. This interface setting overrides the global setting at Configuration > Properties > DNS > Dynamic DNS DCHP Client Updates DNS RecordsClick one of the following radio buttons:
Default (PTR Records only) to specify that the client request only PTR record updating by the

server or
Both (PTR Records and A Records) to specify that the client request both the A and PTR DNS

resource records by the server or


None to specify that the client request no updates by the server

Note

DHCP must be enabled on the selected interface for this action to be effective.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

9-13

Chapter 9 Dynamic DNS

DHCP and DNS Services

Cisco ASDM User Guide

9-14

OL-10106-04

CH A P T E R

10

Configuring AAA Servers


This section contains the following topics:

Understanding AAA AAA Implementation in ASDM AAA Setup

Understanding AAA
This section contains the following topics:

AAA Overview Preparing for AAA LOCAL Database

AAA Overview
AAA enables the security appliance to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization. AAA provides an extra level of protection and control for user access than using access lists alone. For example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server and you might not always know IP addresses of these users, you can enable AAA to allow only authenticated and/or authorized users to make it through the security appliance. (The Telnet server enforces authentication, too; the security appliance prevents unauthorized users from attempting to access the server.)

About AuthenticationAuthentication grants access based on user identity. Authentication establishes user identity by requiring valid user credentials, which are typically a username and password. About AuthorizationAuthorization controls access per user after users authenticate. Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.

Cisco ASDM User Guide OL-10106-04

10-1

Chapter 10 Understanding AAA

Configuring AAA Servers

If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization. The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.

About AccountingAccounting tracks traffic that passes through the security appliance, enabling you to have a record of user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Preparing for AAA


AAA services depend upon the use of the LOCAL database or at least one AAA server. You can also use the LOCAL database as a fallback for most services provided by a AAA server. Before you implement AAA, you should configure the LOCAL database and configure AAA server groups and servers. How you configure the LOCAL database and AAA servers depends upon the AAA services you want the security appliance to support. Regardless of whether you use AAA servers, you should configure the LOCAL database with user accounts that support administrative access, to prevent accidental lockouts and, if so desired, to provide a fallback method when AAA servers are unreachable. For more information, see LOCAL Database. Table 10-1 provides a summary of AAA service support by each AAA server type and by the LOCAL database. You manage the LOCAL database by configuring user profiles in the Configuration > Properties > Device Administration > User Accounts pane. You establish AAA server groups and add individual AAA servers to the server groups in the Configuration > Properties > AAA Setup > AAA Server Groups pane.
Table 10-1 Summary of AAA Support

Database Type AAA Service


Authentication of...

Local Yes Yes Yes Yes No Yes4 No

RADIUS Yes Yes Yes Yes Yes No Yes


3

TACACS+ Yes Yes Yes No Yes Yes Yes

SDI Yes Yes Yes No No No No


2

NT Yes Yes Yes No No No No

Kerberos Yes Yes Yes No No No No

LDAP Yes Yes Yes Yes No No No

HTTP Form Yes1 No No No No No No

VPN users Firewall sessions Administrators


Authorization of...

VPN users Firewall sessions Administrators


Accounting of...

VPN connections

Cisco ASDM User Guide

10-2

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Implementation in ASDM

Table 10-1

Summary of AAA Support (continued)

Database Type AAA Service Firewall sessions Administrators Local No No RADIUS Yes Yes5 TACACS+ Yes Yes SDI No No NT No No Kerberos No No LDAP No No HTTP Form No No

1. HTTP Form protocol supports single sign-on authentication for WebVPN users only. 2. SDI is not supported for HTTP administrative access. 3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only.

LOCAL Database
The security appliance maintains a local database that you can populate with user profiles.

User ProfilesUser profiles contain, at a minimum, a username. Typically, you assign a password to each username, although passwords are optional. User profiles can also specify VPN access policy per user. You can manage user profiles with the Configuration > Properties > Device Administration > User Accounts pane. Fallback SupportThe local database can act as a fallback method for console and enable password authentication, for command authorization, and for VPN authentication and authorization. This behavior is designed to help you prevent accidental lockout from the security appliance. For users who need fallback support, we recommend that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

AAA Implementation in ASDM


You can use AAA for the following:

AAA for Device Administration AAA for Network Access AAA for VPN Access

AAA for Device Administration


You can authenticate all administrative connections to the security appliance, including:

Telnet SSH Serial console

Cisco ASDM User Guide OL-10106-04

10-3

Chapter 10 AAA Setup

Configuring AAA Servers

ASDM VPN management access

You can also authenticate administrators who attempt to enter enable mode. You can authorize administrative commands. You can have accounting data for administrative sessions and for commands issued during a session sent to an accounting server. You can configure AAA for device administration with the Configuration > Properties > Device Access > AAA Access pane.

AAA for Network Access


You can configure rules for authenticating, authorizing, and accounting for traffic passing through the firewall by using the Configuration > Security Policy > AAA Rules tab. The rules you create are similar to access rules, except that they specify whether to authenticate, authorize, or perform accounting for the traffic defined; and which AAA server group the security applianceis to use to process the AAA service request.

AAA for VPN Access


AAA services for VPN access include the following:

User account settings for assigning users to VPN groups, configured in the Configuration > Properties > Device Administration > User Accounts pane. VPN group policies that can be referenced by many user accounts or tunnel groups, configured in the Configuration > VPN > General > Group Policy pane. Tunnel group policies, configured in the Configuration > VPN > General > Tunnel Group pane.

AAA Setup
The AAA Setup panes let you configure AAA server groups, AAA servers, and the authentication prompt. This section includes the following topics:

AAA Server Groups Auth. Prompt LDAP Attribute Map

AAA Server Groups


The AAA Server Groups pane lets you:

Configure AAA server groups and the protocols the security appliance uses to communicate with the servers listed in each group. Configure and add individual servers to AAA server groups.

You can have up to 15 groups in single-mode or 4 groups in multi-mode. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. When a user logs in, the servers are accessed one at a time, starting with the first server you specify, until a server responds.

Cisco ASDM User Guide

10-4

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

If AAA accounting is in effect, the accounting information goes only to the active server, unless you have configured simultaneous accounting. For an overview of AAA services, see Understanding AAA.
Fields

The fields in the AAA Server Groups pane are grouped into two main areas: the AAA Server Groups area and the Servers In The Selected Group area. The AAA Server Groups area lets you configure AAA server groups and the protocols the security appliance uses to communicate with the servers listed in each group.

Note

Double-clicking any of the rows in the AAA Server Groups table opens the Edit AAA Server Group dialog box, in which you can modify the AAA Server Group parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration. Clicking a column head sorts the table rows in alphanumeric order according to the contents of that column.

Server GroupDisplay only. Shows the symbolic name of the selected server group. ProtocolDisplay only. Lists the AAA protocol that servers in the group support. Accounting ModeDisplay only. Shows either simultaneous or single mode accounting. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. Reactivation ModeDisplay only. Shows the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time. Dead TimeDisplay only. Shows the number of minutes that will elapse between the disabling of the last server in the group and the subsequent reenabling of all servers. This parameter applies only in depletion mode. Max Failed AttemptsDisplay only. Shows the number of failed connection attempts allowed before declaring a nonresponsive server inactive. AddDisplays the Add AAA Server Group dialog box. EditDisplays the Edit AAA Server Group dialog box, or, if you have selected LOCAL as the server group, displays the Edit AAA Local Server Group dialog box. DeleteRemoves the currently selected server group entry from the server group table. There is no confirmation or undo.

The Servers In Selected Group area, the second area of the AAA Server Groups pane, lets you add and configure AAA servers for existing AAA server groups. The servers can be RADIUS, TACACS+, NT, SDI, Kerberos, LDAP, or HTTP-form servers.

Server Name or IP AddressDisplay only. Shows the name or IP address of the AAA server. InterfaceDisplay only. Shows the network interface where the authentication server resides. TimeoutDisplay only. Shows the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server. Add/EditDisplays the Add/Edit AAA Server dialog box.

Cisco ASDM User Guide OL-10106-04

10-5

Chapter 10 AAA Setup

Configuring AAA Servers

DeleteRemoves the selected AAA server from the list. Move upMoves the selected AAA server up in the AAA sequence. Move downMoves the selected AAA server back in the AAA sequence. TestDisplays the Test AAA Server dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Add/Edit AAA Server Group


The Add/Edit AAA Server Group dialog box lets you add or modify AAA server groups. The results appear in the AAA Server table.
Fields

Server GroupDisplay only. Shows the name of the selected server group. Protocol drop-down listSpecifies the protocols supported by servers in the group. They include RADIUS, TACACS+, NT Domain, SDI, Kerberos, LDAP, and HTTP Form for single sign-on (WebVPN users only).

Note

The following fields are not available after selecting the HTTP Form protocol. Accounting ModeSpecifies the accounting mode used with the server group.
SimultaneousConfigures the security appliance to send accounting data to all servers in the

group.
SingleConfigures the security appliance to send accounting data to only one server of the

group.

Reactivation ModeSpecifies the method by which failed servers are reactivated.


DepletionConfigures the security appliance to reactivate failed servers only after all of the

servers in the group are inactive.


TimedConfigures the security appliance to reactive failed servers after 30 seconds of down

time.

Dead TimeSpecifies the number of minutes that will elapse between the disabling of the last server in the group and the subsequent reenabling of all servers. This field is not available for timed mode. Max Failed AttemptsSpecifies the number of failed connection attempts (1 through 5) allowed before declaring a nonresponsive server inactive.

Cisco ASDM User Guide

10-6

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Edit AAA Local Server Group


The Edit AAA Local Server Group dialog box lets you specify whether to enable local user lockout and the maximum number of failed login attempts to allow before locking out the user. If a user is locked out, and administrator must clear the lockout condition before the user can successfully log in.
Fields

Enable Local User Lockout Enables locking out and denying access to a user who has exceeded the configured maximum number of failed authentication attempts. Maximum AttemptsSpecifies the maximum number of failed login attempts allowed before locking out and denying access to a user. This limit applies only when the LOCAL database is used for authentication.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Add/Edit AAA Server


The Add/Edit AAA Server dialog box lets you modify the parameters of an existing AAA server or add a new AAA server to an existing group selected in the AAA server groups table.
Fields

Note

The first four fields are the same for all types of servers. The area contents area is specific to each server type.

Server GroupDisplay only. Shows the name of the server group. Interface NameSpecifies the network interface where the server resides. Server Name or IP AddressSpecifies the name or IP address of the AAA server.

Cisco ASDM User Guide OL-10106-04

10-7

Chapter 10 AAA Setup

Configuring AAA Servers

TimeoutSpecifies the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server. RADIUS Parameters areaSpecifies the parameters needed for using a RADIUS server. This area appears only when the selected server group uses RADIUS.
Retry IntervalSpecifies the number of seconds to wait after sending a query to the server and

receiving no response, before reattempting the connection. The minimum time is 1 second. The default time is 10 seconds. The maximum time is 10 seconds.
Server Authentication PortSpecifies the server port to use for user authentication. The default

port is 1645.

Note

The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
Server Accounting PortSpecifies the server port to use for user accounting. The default port

is 1646.
Server Secret KeySpecifies the server secret key (also called the shared secret) to use for

encryption; for example: C8z077f. The secret is case-sensitive. The field displays only asterisks.The security appliance uses the server secret to authenticate to the RADIUS server. The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server. The maximum field length is 64 characters.
Confirm Server Secret KeyRequires that you reenter the server secret, to confirm its accuracy.

The secret is case-sensitive. The field displays only asterisks.


Common PasswordSpecifies the common password for the group. The password is

case-sensitive. The field displays only asterisks. If you are defining a RADIUS server to be used for authentication rather than authorization, do not provide a common password. A RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS authorization server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator. Enter a common password for all users who are accessing this RADIUS authorization server through this security appliance. If you leave this field blank, each user password will be his or her own username. For example, a user with the username jsmith would enter jsmith. As a security precaution never use a RADIUS authorization server for authentication. Use of a common password or usernames as passwords is much less secure than strong passwords per user.

Note

The password field is required by the RADIUS protocol and the RADIUS server requires it; however, users do not need to know it.
Confirm Common PasswordRequires that you reenter the common password, to confirm its

accuracy. The password is case-sensitive. The field displays only asterisks.


ACL Netmask ConvertSpecifies how the security appliance handles netmasks received in

downloadable access lists. The security appliance expects downloadable access lists to contain standard netmask expressions whereas Cisco Secure VPN 3000 series concentrators expect downloadable access lists to contain wildcard netmask expressions, which are the reverse of a

Cisco ASDM User Guide

10-8

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

standard netmask expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. The ACL Netmask Convert list helps minimize the effects of these differences upon how you configure downloadable access lists on your RADIUS servers. If you choose Detect Automatically, the security appliance attempts to determine the type of netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard netmask expression; however, because some wildcard expressions are difficult to detect unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a standard netmask expression. If you choose Standard, the security appliance assumes downloadable access lists received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed. If you choose Wildcard, the security appliance assumes downloadable access lists received from the RADIUS server contain only wildcard netmask expressions and it converts them all to standard netmask expressions when the access lists are downloaded.

TACACS+ ParametersSpecifies the parameters needed for using a TACACS+ server. This area appears only when the selected server group uses TACACS+.
Server PortSpecifies the server port to use. Server Secret KeySpecifies the server secret key to use for encryption. The secret is

case-sensitive. The field displays only asterisks.


Confirm Server Secret KeyRequires that you reenter the server secret, to confirm its accuracy.

The secret is case-sensitive. The field displays only asterisks.

SDI ParametersSpecifies the parameters needed for using an SDI server. This area appears only when the selected server group uses SDI.
Server PortSpecifies the server port to use. Retry IntervalSpecifies the number of seconds to wait before reattempting the connection.

Kerberos ParametersSpecifies the parameters needed for using a Kerberos server. This area appears only when the selected server group uses Kerberos.
Server PortSpecifies the server port that the Kerberos server listens to. Retry IntervalSpecifies the number of seconds to wait before reattempting the connection.

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the security appliance declares this server inoperative and uses the next Kerberos/Active Directory server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Kerberos RealmSpecifies the name of the Kerberos realm to use, for example:

USDOMAIN.ACME.COM. The maximum length is 64 characters. The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows.NET. You must enter this name, and it must be the correct realm name for the server whose IP address you entered in the Server IP Address field.

LDAP ParametersSpecifies the parameters needed for using an LDAP server. This area appears only when the selected server group uses LDAP.
Enable LDAP Over SSLSpecifies that SSL secures communications between the security

appliance and the LDAP server. Also called secure LDAP.


Server PortSpecifies the server port to use. Enter the TCP port number by which you access

the server.

Cisco ASDM User Guide OL-10106-04

10-9

Chapter 10 AAA Setup

Configuring AAA Servers

Server TypeLets you manually set the LDAP server type as a Sun Microsystems JAVA System

Directory Server (formerly the Sun ONE Directory Server) or a Microsoft Active Directory, or lets you specify auto-detection for server type determination.
Base DNSpecifies the Base DN. Enter the location in the LDAP hierarchy where the server

should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com.
ScopeSpecifies the extent of the search in the LDAP hierarchy that the server should make

when it receives an authorization requestOne Level (Search only one level beneath the Base DN. This option is quicker.) All Levels (Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.)
Naming Attribute(s)Specifies the Relative Distinguished Name attribute (or attributes) that

uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
Login DNSpecifies the login DN. Some LDAP servers (including the Microsoft Active

Directory server) require the security appliance to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the security appliances authentication characteristics; these characteristics should correspond to those of a user with administration privileges. Enter the name of the directory object for security appliance authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=Example Corporation, dc=com. For anonymous access, leave this field blank.
Login PasswordSpecifies the login password. The characters you type are replaced with

asterisks.
LDAP Attribute MapLists the LDAP attribute maps that you can apply to LDAP server. The

LDAP attribute map translates Cisco attribute names into user-defined attribute names and values.
SASL MD5 authenticationSpecifies that the MD5 mechanism of the Simple Authentication

and Security Layer secures authentication communications between the security appliance and the LDAP server.
SASL Kerberos authenticationSpecifies that Kerberos mechanism of the Simple

Authentication and Security Layer secures authentication communications between the security appliance and the LDAP server.
Kerberos Server GroupSpecifies the Kerberos server or server group used for authentication.

NT Domain ParametersSpecifies the parameters needed for using an NT server and includes the following fields:
Server PortSpecifies the TCP port number by which you access the server. The default port

number is 139.
NT Domain Controller Specifies the NT Primary Domain Controller host name for this

server, for example: PDC01. The maximum host name length is 15 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP Address in Authentication Server Address; if the name is incorrect, authentication fails.

HTTP Form ParametersSpecifies the parameters for the HTTP Form protocol for single sign-on authentication, available only to WebVPN users. This area appears only when the selected server group uses HTTP Form, and only the Server Group name and the protocol are visible. Other fields are not available when using HTTP Form.

Cisco ASDM User Guide

10-10

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

Note

To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges. If you do not know what the following parameters are, use an HTTP header analyzer to extract the data from the HTTP GET and POST exchanges when logging into the authenticating web server directly, not through the security appliance. See the WebVPN chapter in the Cisco ASA 5500 Series Configuration Guide using the CLI for more detail on extracting these parameters from the HTTP exchanges.
Start URLSpecifies the complete URL of the authenticating web server location where a

pre-login cookie can be retrieved. This parameter must be configured only when the authenticating web server loads a pre-login cookie with the login page. A drop-down list offers both HTTP and HTTPS. The maximum number of characters is 1024, and there is no minimum.
Action URISpecifies the complete Uniform Resource Identifier for the authentication

program on the authorizing web server. The maximum number of characters for the complete URI is 2048 characters.
UsernameSpecifies the name of a username parameternot a specific usernamethat must

be submitted as part of the HTTP form used for SSO authentication. The maximum number of characters is 128, and there is no minimum.
PasswordSpecifies the name of a user password parameternot a specific password

valuethat must be submitted as part of the HTTP form used for SSO authentication. The maximum number of characters is 128, and there is no minimum.
Hidden ValuesSpecifies hidden parameters for the HTTP POST request submitted to the

authenticating web server for SSO authentication. This parameter is necessary only when it is expected by the authenticating web server as indicated by its presence in the HTTP POST request. The maximum number of characters is 2048.
Authentication Cookie Name(Optional) Specifies the name of the cookie that is set by the

server on successful login and that contains the authentication information. It is used to assign a meaningful name to the authentication cookie to help distinguish it from other cookies that the web server may pass back. The maximum number of characters is 128, and there is no minimum.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1.

1. HTTP Form and WebVPN are supported only in single routed mode.

Test AAA Server


Note

Test AAA Server is not available for HTTP Form authentication servers.

Cisco ASDM User Guide OL-10106-04

10-11

Chapter 10 AAA Setup

Configuring AAA Servers

Use the Test button to determine whether the security appliance can contact the selected AAA server. Failure to reach the AAA server may be due to incorrect configuration in ASDM or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime. After you complete the fields in this dialog box and click OK, the security appliance sends the applicable test message to the selected server. If the test fails, ASDM displays an error message about the type of error encountered. If the error message suggests a configuration error in ASDM, correct the configuration and try the test again.

Tip

Checking for basic network connectivity to the AAA server may save you time in troubleshooting. To test basic connectivity, click Tools > Ping.
Fields

AAA Server GroupDisplay only. Shows the AAA server group that the selected AAA server belongs to. Host Display only. Shows the hostname of the AAA server you selected. AuthorizationSpecifies that ASDM tests authorizing a user with the selected AAA server. If the server type selected does not support authorization, this radio button is not available. For example, the security appliance cannot support authorization with Kerberos servers. AuthenticationSpecifies that ASDM tests authenticating a user with the selected AAA server. If the server type selected does not support authentication, this radio button is not available. For example, the security appliance cannot support authentication with LDAP servers. UsernameSpecifies the username you want to use to test the AAA server. Make sure the username exists on the AAA server; otherwise, the test will fail. PasswordSpecifies the password for the username you entered in the Username field. The Password field is available only for authentication tests. Make sure the password is correct for the username entered; otherwise, the authentication test will fail.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Auth. Prompt
The Auth. Prompt pane lets you specify text to display to the user during the AAA authentication challenge process.You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the security appliance when requiring user authentication from TACACS+ or RADIUS servers. This text is primarily for cosmetic purposes and displays above the username and password prompts that users view when logging in.

Cisco ASDM User Guide

10-12

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server. If the AAA server authenticates the user, the security appliance displays the User accepted message text, if specified, to the user; otherwise it displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.

Note

Microsoft Internet Explorer displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.
Fields

Prompt(Optional) Enables the display of AAA challenge text, specified in the field below the check box, for through-the-security appliance user sessions. Text(Optional) Specify a string of up to 235 alphanumeric characters or 31 words, limited by whichever maximum is first reached. Do not use special characters; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.) User accepted message(Optional) Enables the display of text, specified in the field below the check box, confirming that the user has been authenticated. User rejected message(Optional) Enables the display of text, specified in the field below the check box, indicating that authentication failed.

Note

All of the fields in this pane are optional. If you do not specify an authentication prompt, FTP users see FTP authentication, HTTP users see HTTP Authentication Telnet users see no challenge text.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

LDAP Attribute Map


The LDAP Attribute Map pane lets you create and name an attribute map for mapping custom (user-defined) attribute names to Cisco LDAP attribute names. If you are introducing a security appliance to an existing LDAP directory, your existing custom LDAP attribute names and values are probably different from the Cisco attribute names and values. Rather than renaming your existing attributes, you can create LDAP attribute maps that map your custom attribute names and values to Cisco attribute names and values. By using simple string substitution, the security appliance then presents you with only your own custom names and values.

Cisco ASDM User Guide OL-10106-04

10-13

Chapter 10 AAA Setup

Configuring AAA Servers

You can then bind these attribute maps to LDAP servers or remove them as needed. You can also delete entire attribute maps or remove individual name and value entries.

Note

To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.
Fields

NameDisplays the names of the LDAP attribute maps available for editing. Attribute Map NameDisplays the mappings of custom attribute names to Cisco attribute names within each attribute map. AddDisplays the Add LDAP Attribute Map dialog box. EditDisplays the Edit LDAP Attribute Map dialog box. DeleteDeletes the selected LDAP Attribute Map.

Add/Edit LDAP Attribute Map


The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. Your typical steps to add a new attribute map using the LDAP Attribute Map dialog box would be as follows:
1. 2. 3.

Create a new, unpopulated attribute map. Populate the attribute map with name mappings that translate Cisco attribute names to custom, user-defined attribute names. Populate the attribute map with value mappings that apply custom, user-defined attribute values to the custom attribute name and to the matching Cisco attribute name and value.

You would then bind the attribute map to an LDAP server when adding or editing the LDAP server using the Add/Edit AAA Server dialog box.
Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Name MapDisplays the fields necessary for mapping custom attribute names to Cisco attribute names. Value MapDisplays the fields necessary for mapping custom attribute values to custom attribute names and to the matching Cisco attribute name and value.

Add/Edit LDAP Attribute Map > Map Name Tab

The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. See also Add/Edit LDAP Attribute Map.

Cisco ASDM User Guide

10-14

OL-10106-04

Chapter 10

Configuring AAA Servers AAA Setup

Some fields vary depending upon whether you have selected the Map Name tab or the Map Value tab. When you click the Map Name tab, the following fields display.
Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Custom NameSpecifies the custom, user-defined attribute name that maps to an attribute name selected from the Cisco Name drop-down list. Cisco NameSpecifies the Cisco attribute name you want to map to the user-defined name in the Custom Name field. AddInserts the name mapping into the attribute map. RemoveRemoves the selected name mapping from the attribute map. Custom NameDisplays the custom attribute names of mappings in the attribute map. Cisco NameDisplays the Cisco attribute names of mappings in the attribute map.

Add/Edit LDAP Attribute Map > Map Value Tab

The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. See also Add/Edit LDAP Attribute Map. Some fields vary depending upon whether you have selected the Map Name tab or the Map Value tab. When you click the Map Value tab, the following fields appear.
Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Custom NameDisplays the custom attribute names of mappings in the attribute map. Custom to Cisco Map ValueDisplays the mapping of a custom value to a Cisco value for a custom attribute. AddDisplays the Add LDAP Attributes Map Value dialog box. EditDisplays the Edit LDAP Attributes Map Value dialog box. DeleteDeletes the selected attribute value mapping from the LDAP attribute map.

Add/Edit LDAP Attributes Value Map


The Add/Edit LDAP Attribute Map Value dialog box lets you map a custom attribute value for a custom attribute name to the Cisco value of the associated Cisco attribute name.

Cisco ASDM User Guide OL-10106-04

10-15

Chapter 10 AAA Setup

Configuring AAA Servers

Fields

Custom NameIf adding a new attribute value mapping, this is a drop-down list that lets you choose a custom attribute name from a list of attributes which do not yet have a custom value mapped to a Cisco attribute value. If editing an existing attribute value mapping, this is a read-only field which displays the name of the custom attribute selected on the Map Value tab of the Add/Edit LDAP Attribute Map dialog box. Custom ValueSpecifies a custom value for the selected custom attribute. Cisco ValueSpecifies the Cisco value for the selected custom attribute. AddAdds the value mapping to the custom attribute value map. RemoveRemoves the value mapping from the custom attribute value map. Custom NameDisplays the custom value for the custom attribute name. Cisco NameDisplays the Cisco value for the Cisco attribute name.

Cisco ASDM User Guide

10-16

OL-10106-04

CH A P T E R

11

Configuring Device Access

This chapter contains the following topics:


AAA Access HTTPS/ASDM Secure Shell Telnet Virtual Access

AAA Access
The AAA Access pane includes tabs for configuring authentication, authorization, and accounting for management access. For an overview of AAA services, see Configuring AAA Servers.

Authentication Tab Authorization Tab Accounting Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authentication Tab
Use this tab to enable authentication for administrator access to the security appliance. Authentication lets you control access by requiring a valid username and password. You can configure the security appliance to authenticate the following items:

All administrative connections to the security appliance using the following methods:

Cisco ASDM User Guide OL-10106-04

11-1

Chapter 11 AAA Access

Configuring Device Access

Telnet SSH HTTPS/ASDM Serial

The enable command

Fields

Require authentication to allow use of privileged mode commandsSpecifies the parameters that control access to the privileged mode commands.
EnableEnables or disables the requirement that a user be authenticated before being allowed

to use privileged mode commands.


Server GroupSelects the server group to use for authenticating users to use privileged mode

commands.
Use LOCAL when server group failsAllows the use of the LOCAL database for

authenticating users to use privileged mode commands if the selected server group fails.

Require authentication for the following types of connectionsSpecifies the types of connections for which you want to require authentication and specifies the server group to use for that authentication.
HTTP/ASDMSpecifies whether to require authentication for HTTP/ASDM connections. Server GroupSelects the server group to use for authenticating the specified connection type. Use LOCAL when server group failsAllows the use of the LOCAL database for

authenticating the specified connection type if the selected server group fails.
SSHSpecifies whether to require authentication for SSH connections. TelnetSpecifies whether to require authentication for Telnet connections. SerialSpecifies whether to require authentication for serial connections.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authorization Tab
Authorization lets you control access per user after you authenticate with a valid username and password. You can configure the security appliance to authorize management commands. Authorization lets you control which services and commands are available to an individual user. Authentication alone provides the same access to services for all authenticated users.

Cisco ASDM User Guide

11-2

OL-10106-04

Chapter 11

Configuring Device Access AAA Access

When you enable command authorization, you have the option of manually assigning privilege levels to individual commands or groups of commands (using the Advanced button) or enabling the Predefined User Account Privileges (using the Restore Predefined User Account Privileges button): Predefined User Admin Read Only Monitor Only Privilege Level 15 5 3 Description Full access to all CLI commands Read only access to all commands Monitoring tab only

The Predefined User Account Privileges Setup pane displays a list of commands and privileges ASDM issues to the security appliance if you click Yes. Yes allows ASDM to support the three privilege levels: Admin, Read Only and Monitor Only. The Command Privileges Setup pane displays a list of commands and privileges ASDM is going to issue to the security appliance. You can select one or more commands in the lists and use the Edit button to change the privilege level for the selected commands.
Fields

EnableEnables or disables authorization for security appliance command access. Selecting this check box activates the remaining parameters on this pane. Server GroupSelects the server group to use for authorizing users for command access. Use LOCAL when server group failsAllows the use of the LOCAL database for authorizing users to use privileged mode commands if the selected server group fails. AdvancedOpens the Command Privileges Setup pane, on which you can manually assign privilege levels to individual commands or a group of commands. Restore Predefined User Account PrivilegesOpens the Predefined User Account Command Privilege Setup pane, which sets up predefined user profiles and sets the privilege levels for the selected, listed commands.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Command Privileges Setup


Use this pane to assign privilege levels to individual commands or groups of commands. Clicking a column heading sorts the entire table in alphanumeric order, using the selected column as the key field.

Command ModeSelects a specific command mode or All Modes. This selection determines what appears in the Command Modes table immediately below this list. CLI CommandSpecifies the name of a CLI command.

Cisco ASDM User Guide OL-10106-04

11-3

Chapter 11 AAA Access

Configuring Device Access

ModeIndicates a mode that applies to this command. Certain commands have more than one mode. VariantIndicates the form (for example, show or clear) of the specified command to which the privilege level applies. PrivilegeShows the privilege level currently assigned to this command. EditDisplays the Select Command(s) Privilege dialog box. This dialog box lets you select from a list the privilege level for one or more commands selected on the parent window. The Command Modes table reflects the change as soon as you click OK. Select AllSelects the entire contents of the Command Modes table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Predefined User Account Command Privilege Setup


This pane asks whether you want the security appliance to set up user profiles named Admin, Read Only, and Monitor Only. You get to this pane by clicking Restore Predefined user Account Privileges on the Authorization tab of the Authentication/Authorization/Accounting pane.
Fields

Command ListLists the CLI commands, their modes, variants, and privileges, affected by the predefined user account privilege setup.
CLI CommandSpecifies the name of a CLI command. ModeIndicates a mode that applies to this command. Certain commands have more than one

mode.
VariantIndicates the form (for example, show or clear) of the specified command to which the

privilege level applies.


PrivilegeShows the privilege level currently assigned to this command.

YesDirects the security appliance to set up the listed commands with the respective privilege levels. This setup lets you create users through the User Accounts pane with the roles Admin, privilege level 15; Read Only, with privilege level 5; and Monitor Only with privilege level 3. NoLets you manage the privilege levels of commands and users manually.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

11-4

OL-10106-04

Chapter 11

Configuring Device Access AAA Access

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Accounting Tab
Accounting lets you keep track of traffic that passes through the security appliance. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, the AAA client messages and username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Note

You can configure accounting only for a TACACS+ server group. If no such group has yet been configured, go to Configuration > Properties > AAA Setup > AAA Server Groups.
Fields

Require accounting to allow accounting of user activitySpecifies parameters related to accounting of user activity.
EnableEnables or disables the requirement to allow accounting of user activity. Server GroupSpecifies the selected server group, if any, to use for user accounting. If no

TACACS+ server group exists, the default value of this list is --None--.

Note

The definition of the Server Group list parameter is the same for all group boxes on this pane. Require accounting for the following types of connectionsSpecifies the connection types for which you want to require accounting and the respective server groups for each.
HTTP/ASDMRequires accounting for HTTP/ASDM connections. SerialRequires accounting for serial connections. SSHRequires accounting for secure shell (SSH) connections. TelnetRequires accounting for Telnet connections.

Require command accounting for Security ApplianceYou can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. If you customize the command privilege level using the Configuration > Device Access > AAA Access > Authorization > Command Privilege Setup dialog box, you can limit which commands the security appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
EnableEnables accounting for commands. Privilege levelSets the minimum privilege level for which to perform command accounting.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

11-5

Chapter 11 HTTPS/ASDM

Configuring Device Access

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTPS/ASDM
The HTTPS/ASDM pane provides a table that specifies the addresses of all the hosts or networks that are allowed access to the ASDM using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.
Fields

InterfaceLists the interface on the security appliance from which the administrative access to the device manager is allowed. IP AddressLists the IP address of the network or host that is allowed access. MaskLists the network mask associated with the network or host that is allowed access. AddDisplays the Add HTTP Configuration dialog box for adding a new host or network. EditDisplays the Edit HTTP Configuration dialog box for editing the selected host or network. DeleteDeletes the selected host or network.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Configuration


The Add/Edit HTTP Configuration dialog box lets you add a host or network that will be allowed administrative access to the security appliance device manager over HTTPS.
Fields

Interface NameSpecifies the interface on the security appliance from which the administrative access to the security appliance device manager is allowed. IP AddressSpecifies the IP address of the network or host that is allowed access. MaskSpecifies the network mask associated with the network or host that is allowed access.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

11-6

OL-10106-04

Chapter 11

Configuring Device Access Secure Shell

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Secure Shell
The Secure Shell pane lets you configure rules that permit only specific hosts or networks to connect to the security appliance for administrative access using the SSH protocol. The rules restrict SSH access to a specific IP address and netmask. SSH connection attempts that comply with the rules must then be authenticated by a AAA server or the Telnet password. You can monitor SSH sessions using Monitoring > Administration > Secure Shell Sessions.
Fields

The Secure Shell pane displays the following fields:


Allowed SSH VersionsRestricts the version of SSH accepted by the security appliance. By default, SSH Version 1 and SSH Version 2 connections are accepted. Timeout (minutes)Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the security appliance closes it. The default is 5 minutes. SSH Access RuleDisplays the hosts and networks that are allowed to access the security appliance using SSH. Double-clicking a row in this table opens the Edit SSH Configuration dialog box for the selected entry.
InterfaceDisplays the name of a security appliance interface that will permit SSH

connections.
IP AddressDisplays the IP address of each host or network permitted to connect to this

security appliance through the specified interface.


MaskDisplays the netmask for the IP address of each host or network permitted to connect to

this security appliance through the specified interface.


AddOpens the Add SSH Configuration dialog box. EditOpens the Edit SSH Configuration dialog box. DeleteDeletes the selected SSH access rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

11-7

Chapter 11 Telnet

Configuring Device Access

Add/Edit SSH Configuration


The Add SSH Configuration dialog box lets you add a new SSH access rule to the rule table. The Edit SSH Configuration dialog box lets you change an existing rule.
Fields

InterfaceSpecifies the name of the security appliance interface that permits SSH connections. IP AddressSpecifies the IP address of the host or network that is permitted to establish an SSH connection with the security appliance. MaskThe netmask of the host or network that is permitted to establish an SSH connection with the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Telnet
The Telnet pane lets you configure rules that permit only specific hosts or networks running ASDM to connect to the security appliance using the Telnet protocol. The rules restrict administrative Telnet access through a security appliance interface to a specific IP address and netmask. Connection attempts that comply with the rules must then be authenticated by a preconfigured AAA server or the Telnet password. You can monitor Telnet sessions using Monitoring > Telnet Sessions.

Note

Although a configuration file may contain more, there may be only five Telnet sessions active at the same time in single context mode. In multiple context mode, there may be only five Telnet sessions active per context.
Fields

The Telnet pane displays the following fields: Telnet Rule Table:

InterfaceDisplays the name of a security appliance interface which will permit Telnet connections, an interface on which is located a PC or workstation running ASDM. IP AddressDisplays the IP address of each host or network permitted to connect to this security appliance through the specified interface.

Note

This is not the IP address of the security appliance interface.

Cisco ASDM User Guide

11-8

OL-10106-04

Chapter 11

Configuring Device Access Telnet

NetmaskDisplays the netmask for the IP address of each host or network permitted to connect to this security appliance through the specified interface.

Note

This is not the IP address of the security appliance interface. TimeoutDisplays the number of minutes, 1 to 60, the Telnet session can remain idle before the security appliance closes it. The default is 5 minutes. AddOpens the Add Telnet Configuration dialog box. EditOpens the Edit Telnet Configuration dialog box. DeleteDeletes the selected item. ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Telnet Configuration


Adding Telnet Rules

To add a rule to the Telnet rule table, perform the following steps:
1. 2. 3.

Click the Add button to open the Telnet > Add dialog box. Click Interface to add a security appliance interface to the rule table. In the IP Address box, enter the IP address of the host running ASDM which will be permitted Telnet access through this security appliance interface.

Note 4.

This is not the IP address of the security appliance interface. In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access.

Note 5.

This is not a mask for the IP address of the security appliance interface. To return to the previous pane click:

Cisco ASDM User Guide OL-10106-04

11-9

Chapter 11 Telnet

Configuring Device Access

OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Editing Telnet Rules

To edit a rule in the Telnet rule table, perform the following steps:
1. 2. 3.

Click Edit to open the Telnet > Edit dialog box. Click Interface to select a security appliance interface from the rule table. In the IP Address field, enter the IP address of the host running ASDM which will be permitted Telnet access through this security appliance interface.

Note 4.

This is not the IP address of the security appliance interface. In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access.

Note 5.

This is not a mask for the IP address of the security appliance interface. To return to the previous Window, click one of the following buttons: OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Deleting Telnet Rules

To delete a rule from the Telnet table, perform the following steps:
1. 2.

Select a rule from the Telnet rule table. Click Delete.

Applying Changes

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running configuration. To apply or discard changes, click one of the following buttons:
1.

ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed.

2.

Fields

Interface NameSelect the interface to allow Telnet access to the security appliance. IP AddressEnter the IP address of the host or network permitted to Telnet to the security appliance. MaskEnter the subnet mask of the host or network permitted to Telnet to the security appliance.

Cisco ASDM User Guide

11-10

OL-10106-04

Chapter 11

Configuring Device Access Virtual Access

OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Virtual Access
The Virtual Access pane lets you configure a virtual Telnet server address on the security appliance to use for network access authentication. Although you can configure network access authentication for any protocol or service, only HTTP, Telnet, or FTP provide an authentication challenge. A user must first authenticate with one of these services before other traffic requiring authentication is allowed through. In some cases, you might not want to allow HTTP, Telnet, or FTP through the security appliance, but still need to authenticate other types of traffic. In those cases, you can create a virtual Telnet server on the security appliance. User connect to the security appliance using Telnet to the virtual Telnet IP address and the security appliance provides a Telnet prompt. When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and is then authenticated by the AAA server. Once authenticated, the user sees the message Authentication Successful. The user can then access other services that require authentication. To log out from the security appliance, reconnect to the virtual IP address; you are prompted to log out.
Fields

Virtual Telnet ServerEnter the virtual Telnet server IP address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Cisco ASDM User Guide OL-10106-04

11-11

Chapter 11 Virtual Access

Configuring Device Access

Cisco ASDM User Guide

11-12

OL-10106-04

CH A P T E R

12

Failover
This section contains the following topics:

Understanding Failover Configuring Failover with the High Availability and Scalability Wizard Field Information for the Failover Panes

Understanding Failover
The Failover pane contains the settings for configuring failover on the security appliance. However, the Failover pane changes depending upon whether you are in multiple mode or single mode, and when you are in multiple mode, it changes based on the security context you are in. Failover allows you to configure two security appliances so that one will take over operation if the other fails. Using a pair of security appliances, you can provide high availability with no operator intervention. The security appliance communicates failover information over a dedicated failover link. This failover link can be either a LAN-based connection or, on the PIX security appliance platform, a dedicated serial failover cable. The following information is communicated over the failover link:

The failover state (active or standby). Hello messages (keep-alives). Network link status. MAC address exchange. Configuration replication.

Caution

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the security appliance to terminate VPN tunnels. The security appliance supports two types of failover, Active/Standby and Active/Active. Additionally, failover can be stateful or stateless. For more information about the types of failover, see the following topics:

Active/Standby Failover

Cisco ASDM User Guide OL-10106-04

12-1

Chapter 12 Understanding Failover

Failover

Active/Active Failover Stateless (Regular) Failover Stateful Failover

Active/Standby Failover
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance. When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Active/Standby failover is available to security appliances in single mode or multiple mode.

Active/Active Failover
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode. To enable Active/Active failover on the security appliance, you need to create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is simply a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices. Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:

When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit. When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit. Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.

After both units are running, commands are replicated from one unit to the other as follows:

Note

A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.

Cisco ASDM User Guide

12-2

OL-10106-04

Chapter 12

Failover Understanding Failover

Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs. In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.

Note

When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.

Stateless (Regular) Failover


Stateless failover is also referred to as regular failover. In stateless failover, all active connections are dropped when a failover occurs. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover
Note

Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. When Stateful Failover is enabled, the active unit in the failover pair continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

Note

The IP address and MAC address for the state and LAN failover links do not change at failover. To use Stateful Failover, you must configure a state link to pass all state information to the standby unit. If you are using a LAN failover connection rather than the serial failover interface (available on the PIX security appliance platform only), you can use the same interface for the state link as the failover link. However, we recommend that you use a dedicated interface for passing state information the standby unit. The following information is passed to the standby unit when Stateful Failover is enabled:

NAT translation table. TCP connection table (except for HTTP), including the timeout connection. HTTP connection states (if HTTP replication is enabled). H.323, SIP, and MGCP UDP media connections. The system clock.

Cisco ASDM User Guide OL-10106-04

12-3

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

The ISAKMP and IPSec SA table. HTTP connection table (unless HTTP replication is enabled). The user authentication (uauth) table. The ARP table. Routing tables.

The following information is not copied to the standby unit when Stateful Failover is enabled:

Configuring Failover with the High Availability and Scalability Wizard


The High Availability and Scalability Wizard steps you through the process of creating an Active/Active failover configuration, and Active/Standby failover configuration, or a VPN Cluster Load Balancing configuration. See the following topics for information about using the High Availability and Scalability Wizard:

Accessing and Using the High Availability and Scalability Wizard Configuring Active/Active Failover with the High Availability and Scalability Wizard Configuring Active/Standby Failover with the High Availability and Scalability Wizard Configuring VPN Load Balancing with the High Availability and Scalability Wizard Field Information for the High Availability and Scalability Wizard

Accessing and Using the High Availability and Scalability Wizard


To open the High Availability and Scalability Wizard, choose Wizards > High Availability and Scalability Wizard from the ASDM menu bar. The first screen of the wizard appears. To move to the next screen of the wizard, click the Next button. You must complete the mandatory field of each screen before you can move to the next screen. To move to a previous screen of the wizard, click the Back button. If information filled in on later screens of the wizard is not affected by the change you make to an earlier screen, that information remains on the screen as you move forward through the wizard again. You do not need to reenter it. To leave the wizard at any time without saving any changes, click Cancel. To send your configuration to the security appliance at the end of the wizard, click Finish.

Configuring Active/Active Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Active failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure Active/Active failover on the Choose the type of failover configuration screen.

Cisco ASDM User Guide

12-4

OL-10106-04

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

See Choose the Type of Failover Configuration for more information about this screen.
Step 2

Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed. See Check Failover Peer Connectivity and Compatibility for more information about this screen. If the security appliance or the failover peer are in single context mode, change them to multiple context mode on the Change Device to Multiple Mode screen. When you change the security appliance to multiple context mode, it will reboot. ASDM automatically reestablishes communication with the security appliance when it has finished rebooting. See Change Device to Multiple Mode for more information about this screen. (PIX 500 series security appliance only) Select cable-based or LAN-based failover on the Select Failover Communication Media screen. See Select Failover Communication Media for more information about this screen. Assign security contexts to failover groups on the Context Configuration screen. You can add and delete contexts on this screen. See Security Context Configuration for more information about this screen. Define the Failover Link on the Failover Link Configuration screen. See Failover Link Configuration for more information about this screen. (Not available on the ASA 5505 security appliance) Define the Stateful Failover link on the State Link Configuration screen. See State Link Configuration for more information about this screen. Add standby addresses to the security appliance interfaces on the Standby Address Configuration screen. See Standby Address Configuration for more information about this screen. Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen. Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Configuring Active/Standby Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Standby failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure Active/Standby failover on the Choose the type of failover configuration screen. Click next. See Choose the Type of Failover Configuration for more information about this screen.

Cisco ASDM User Guide OL-10106-04

12-5

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Step 2

Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed. See Check Failover Peer Connectivity and Compatibility for more information about this screen. (PIX 500 series security appliance only) Select cable-based or LAN-based failover on the Select Failover Communication Media screen. See Select Failover Communication Media for more information about this screen. Define the Failover Link on the Failover Link Configuration screen. See Failover Link Configuration for more information about this screen. (Not available on the ASA 5505 security appliance) Define the Stateful Failover link on the State Link Configuration screen. See State Link Configuration for more information about this screen. Add standby addresses to the security appliance interfaces on the Standby Address Configuration screen. See Standby Address Configuration for more information about this screen. Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen. Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Configuring VPN Load Balancing with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring VPN cluster load balancing using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure VPN Cluster Load Balancing failover on the Choose the type of failover configuration screen. See Choose the Type of Failover Configuration for more information about this screen. Configure the VPN load balancing settings on the VPN Cluster Load Balancing Configuration screen. See VPN Cluster Load Balancing Configuration for more information about this screen. Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen. Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Step 2

Step 3

Step 4

Cisco ASDM User Guide

12-6

OL-10106-04

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

Field Information for the High Availability and Scalability Wizard


The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring and the hardware platform you are configuring it on.

Choose the Type of Failover Configuration Check Failover Peer Connectivity and Compatibility Change Device to Multiple Mode Security Context Configuration Failover Link Configuration State Link Configuration Standby Address Configuration VPN Cluster Load Balancing Configuration Summary

Choose the Type of Failover Configuration


The Choose the Type of Failover Configuration screen lets you select the type of failover to configure.
Fields

The Choose the Type of Failover Configuration displays the following informational fields. These are useful for determining the failover capabilities of the security appliance.

Hardware Model(Display only) Displays the security appliance model number. No. of Interfaces(Display only) Displays the number of interfaces available on the security appliance. No. of Modules(Display only) Displays the number of modules installed on the security appliance. Software Version(Display only) Displays the version of the platform software on the security appliance. Failover License(Display only) Displays the type of failover license installed on the device. You may need to purchase an upgraded license to configure failover. Firewall Mode(Display only) Displays the firewall mode (routed or transparent) and the context mode (single or multiple). Configure Active/Active FailoverConfigures the security appliance for Active/Active failover. Configure Active/Standby FailoverConfigures the security appliance for Active/Standby failover. Configure VPN Cluster Load BalancingConfigures the security appliance to participate in VPN load balancing as part of a cluster.

Choose the type of failover configuration you are configuring:


Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

12-7

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Check Failover Peer Connectivity and Compatibility


The Check Failover Peer Connectivity and Compatibility screen lets you verify that the selected failover peer is reachable and compatible with the current unit. If any of the connectivity and compatibility tests fail, you must correct the problem before you can proceed with the wizard.
Fields

Peer IP AddressEnter the IP address of the peer unit. This address does not have to be the failover link address, but it must be an interface that has ASDM access enabled on it. Test CompatibilityClick this button to perform the following connectivity and compatibility tests:
Connectivity test from this ASDM to the peer unit Connectivity test from this firewall device to the peer firewall device Hardware compatibility test Software version compatibility Failover license compatibility Firewall mode compatibility

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Change Device to Multiple Mode


The Change Device to Multiple Mode dialog box appears for Active/Active failover configuration only. Active/Active failover requires the security appliance to be in multiple context mode. This dialog box lets you convert a security appliance in single context mode to multiple context mode. When you convert from single context mode to multiple context mode, the security appliance creates the system configuration and the admin context from the current running configuration.The admin context configuration is stored in the admin.cfg file. The conversion process does not save the previous startup configuration, so if the startup configuration differed from the running configuration, those differences are lost. Converting the security appliance from single context mode to multiple context mode causes the security appliance to reboot. However the High Availability and Scalability Wizard restores connectivity with the newly created admin context and reports the status in the Devices Status field in this dialog box.

Cisco ASDM User Guide

12-8

OL-10106-04

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

You need to convert both the current security appliance and the peer security appliance to multiple context mode before you can proceed.
Fields

Change device To Multiple ContextCauses the security appliance to change to multiple context mode. device is the hostname of the security appliance. Change device (peer) To Multiple ContextCauses the peer unit to change to multiple context mode. device is the hostname of the security appliance. Device Status(Display only) Displays the status of the security appliance while converting to multiple context mode.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Select Failover Communication Media


The Select Failover Communication Media appears only on PIX 500 series security appliances. This screen lets you select between using a failover cable or LAN-based connection for the failover link.
Fields

Use Failover CableChoose this option to use a dedicated failover cable for failover communication. Use LAN-based connectionChoose this option to use a network connection for failover communication.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Security Context Configuration


The Security Context Configuration screen appears for Active/Active configuration only. The Security Context Configuration screen lets you assign security contexts to failover groups. It displays the security contexts currently configured on the device and lets you add new ones or remove existing ones as needed.

Cisco ASDM User Guide OL-10106-04

12-9

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane.
Fields

NameDisplays the name of the security context. To change the name, click the name and type a new name. Failover GroupDisplays the failover group the context is assigned to. To change the failover group for a security context, click the failover group and select the new failover group number from the drop-down list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Failover Link Configuration


The Failover Link Configuration screen only appears if you are configuring LAN-based failover; it does not appear if you are configuring a PIX 500 series security appliance for cable-based failover.
Fields

LAN InterfaceChoose the interface to use for failover communication from the drop-down list. Logical NameType a name for the interface. Active IPType the IP address used for the failover link on the unit that has failover group 1 in the active state. Standby IPType the IP address used for the failover link on the unit that has failover group 1 in the standby state. Subnet MaskType or select a subnet mask for the Active IP and Standby IP addresses. Secret Key(Optional) Enter the key used to encrypt failover communication. If this field is left blank, failover communication, including any passwords or keys in the configuration sent during command replication, is in clear text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide

12-10

OL-10106-04

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

State Link Configuration


The State Link Configuration screen does not appear in the wizard for ASDM running on the ASA 5505 platform. The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties.
Fields

Use the LAN link as the State LinkChoose this option to pass state information across the LAN-based failover link. This option is not available on PIX 500 series security appliances configured for cable-based failover. Disable Stateful FailoverChoose this option to disable Stateful Failover. Configure another interface for Stateful failoverChoose this option to configure an unused interface as the Stateful Failover interface.
State InterfaceChoose the interface you want to use for Stateful Failover communication from

the drop-down list.


Logical NameType the name for the Stateful Failover interface. Active IPType the IP address for the Stateful Failover link on the unit that has failover group

1 in the active state.


Standby IPType the IP address for the Stateful Failover link on the unit that has failover group

1 in the standby state.


Subnet MaskType or select a subnet mask for the Active IP and Standby IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Standby Address Configuration


Use the Standby Address Configuration screen to assign standby addresses to the interface on the security appliance.
Fields

Device/Interface(Active/Standby failover) Displays the interfaces configured on the failover units. Click the plus sign (+) by a device name to displays the interfaces on that device. Click the minus sign (-) by a device name to hides the interfaces on that device. Device/Group/Context/Interface(Active/Active failover) Displays the interfaces configured on the failover unit. The interfaces are grouped by context and the contexts are grouped by failover group. Click the plus sign (+) by a device, failover group, or context name to expand the list. Click the minus sign (-) by a device, failover group, or context name to collapse the list.

Cisco ASDM User Guide OL-10106-04

12-11

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Active IPDouble-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit. Standby IPDouble-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit. Is MonitoredCheck this check box to enable health monitoring for that interface. Uncheck the check box to disable the health monitoring. By default, health monitoring of physical interfaces is enabled and health monitoring of virtual interfaces is disabled. ASR GroupSelect the asynchronous group ID from the drop-down list. This setting is only available for physical interface. For virtual interfaces this field displays None.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

VPN Cluster Load Balancing Configuration


If you have a remote-client configuration in which you are using two or more security appliances connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance anodize availability. Use the VPN Cluster Load Balancing Configuration screen to set parameters necessary for this device to participate in a load balancing cluster.

Note

VPN load balancing runs only on security appliance models ASA 5520 and higher. VPN load balancing requires an active 3DES/AES license. The security appliance checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the security appliance prevents the enabling of load balancing and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage. Enabling load balancing involves:

Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP port (if necessary), and IPSec shared secret for the cluster. These values are identical for every device in the cluster. Configuring the participating device by enabling load balancing on the device and defining device-specific properties. These values vary from device to device.

Cisco ASDM User Guide

12-12

OL-10106-04

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

Note

Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing. To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network into a virtual cluster.
Fields

VPN Load BalancingConfigures virtual cluster device parameters.


Cluster IP AddressSpecifies the single IP address that represents the entire virtual cluster.

Choose an IP address that is within the public subnet address range shared by all the security appliances in the virtual cluster.
Cluster UDP PortSpecifies the UDP port for the virtual cluster in which this device is

participating. The default value is 9023. If another application is using this port, enter the UDP destination port number you want to use for load balancing.
Enable IPSec EncryptionEnables or disables IPSec encryption. If you select this check box,

you must also specify and verify a shared secret.The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information communicated between the devices is encrypted, select this check box.

Note

When using encryption, you must have previously configured the load-balancing inside interface. If that interface is not enabled on the load-balancing inside interface, you get an error message when you try to configure cluster encryption. If the load-balancing inside interface is enabled when you configured cluster encryption, but is disabled before you configure the participation of the device in the virtual cluster, you get an error message when you select the Participate in Load Balancing Cluster check box, and encryption is not enabled for the cluster.
Shared Secret KeySpecifies the shared secret to between IPSec peers when you enable IPSec

encryption. The value you enter in the box appears as consecutive asterisk characters.
Priority Of This DeviceSpecifies the priority assigned to this device within the cluster. The

range is from 1 to 10. The priority indicates the likelihood of this device becoming the virtual cluster master, either at start-up or when an existing master fails. The higher you set the priority (for example, 10), the more likely this device becomes the virtual cluster master.
Public Interface Of This DeviceSpecifies the name or IP address of the public interface for

this device.
Private Interface Of This DeviceSpecifies the name or IP address of the private interface for

this device.

Cisco ASDM User Guide OL-10106-04

12-13

Chapter 12 Field Information for the Failover Panes

Failover

Note

If the devices in the virtual cluster are powered up at different times, the first device to be powered up assumes the role of virtual cluster master. Because every virtual cluster requires a master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster has a virtual master. If none exists, that device takes on the role. Devices powered up and added to the cluster later become secondary devices. If all the devices in the virtual cluster are powered up simultaneously, the device with the highest priority setting becomes the virtual cluster master. If two or more devices in the virtual cluster are powered up simultaneously, and both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Summary
The Summary screen displays the results of the configuration steps you performed in the previous wizard panels.
Fields

The configuration appears in the center of the screen. Verify your settings and click Finish to send your configuration to the device. If you are configuring failover, the configuration is also sent to the failover peer. If you need to change a setting, click Back until you reach the screen where you need to make the change. Make the change and click Next until you return to the Summary screen.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Field Information for the Failover Panes


What displays on the failover pane depends upon the mode you are in (single or multiple context mode) and whether you are in the system execution space or in a security context. This section contains the following topics:

Failover - Single Mode Failover-Multiple Mode, Security Context

Cisco ASDM User Guide

12-14

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Failover-Multiple Mode, System

Failover - Single Mode


The Failover pane contains the tabs where you can configure Active/Standby failover in single context mode. For more information about failover, see Understanding Failover. For more information about configuring the settings on each tab of the Failover pane, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.

Failover: Setup Failover: Interfaces (Routed Firewall Mode) Failover: Interfaces (Transparent Firewall Mode) Failover: Criteria Failover: MAC Addresses

Failover: Setup
Use this tab to enable failover on the security appliance. You also designate the failover link and the state link, if using Stateful Failover, on this tab. For more information about configuring failover in general, see Understanding Failover.
Fields

Enable FailoverChecking this check box enables failover and lets you configure a standby security appliance.

Note

The speed and duplex settings for the failover interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces pane before enabling failover. ASDM displays a dialog box asking if you want to configure the peer unit when you enable failover. This dialog box also appears when the Preferred Role setting or, on the PIX security appliance platform, the Enable LAN rather than serial cable failover setting changes.
Peer IP AddressEnter an IP address on the peer unit that ASDM can connect to. This field

appears on the Do you want to configure the failover peer firewall dialog box.

Use 32 hexadecimal character keyCheck this check box to enter a hexadecimal value for the encryption key in the Shared Key box. Uncheck this check box to enter an alphanumeric shared secret in the Shared Key box. Shared KeySpecifies the failover shared secret or key for encrypted and authenticated communications between failover pairs. If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). If you unchecked the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

Cisco ASDM User Guide OL-10106-04

12-15

Chapter 12 Field Information for the Failover Panes

Failover

Enable LAN rather than serial cable failover(PIX security appliance platform only) Check this check box to enable LAN Failover. Uncheck this check box to use the dedicated serial cable as the failover link. LAN FailoverContains the fields for configuring LAN Failover.
InterfaceSpecifies the interface used for failover communication. Failover requires a

dedicated interface, however you can share the interface with Stateful Failover. Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane.
Active IPSpecifies the IP address for the failover interface on the active unit. Subnet MaskSpecifies the mask for the failover interface on the primary and secondary unit. Logical NameSpecifies the logical name of the interface used for failover communication. Standby IPSpecifies the IP address used by the secondary unit to communicate with the

primary unit
Preferred RoleSpecifies whether the preferred role for this security appliance is as the

primary or secondary unit in a LAN failover.

State FailoverContains the fields for configuring Stateful Failover.

Note

Stateful Failover is not available on the ASA 5505 platform. This area does not appear on ASDM running on an ASA 5505 security appliance.
InterfaceSpecifies the interface used for state communication. You can choose an

unconfigured interface or subinterface, the LAN Failover interface, or the Use Named option.

Note

We recommend that you use two separate, dedicated interfaces for the LAN Failover interface and the Stateful Failover interface. If you choose an unconfigured interface or subinterface, you must supply the Active IP, Subnet Mask, Standby IP, and Logical Name for the interface. If you choose the LAN Failover interface, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used. If you choose the Use Named option, the Logical Name field becomes a drop-down list of named interfaces. Choose the interface from this list. The Active IP, Subnet Mask, and Standby IP values do not need to be specified. The values specified for the interface are used. Be sure to specify a standby IP address for the selected interface on the Interfaces tab.

Note

Because Stateful Failover can generate a large amount of traffic, performance for both Stateful Failover and regular traffic can suffer when you use a named interface.

Active IPSpecifies the IP address for the Stateful Failover interface on the primary unit. This

field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.

Cisco ASDM User Guide

12-16

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Subnet MaskSpecifies the mask for the Stateful Failover interfaces on the primary and

secondary units. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.
Logical NameSpecifies the logical interface used for failover communication. If you selected

the Use Named option in the Interface drop-down list, this field displays a list of named interfaces. This field is dimmed if the LAN Failover interface is selected in the Interface drop-down list.
Standby IPSpecifies the IP address used by the secondary unit to communicate with the

primary unit. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.
Enable HTTP replicationSelecting this check box enables Stateful Failover to copy active

HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover: Interfaces (Routed Firewall Mode)


Use this tab to define the standby IP address for each interface on the security appliance and to specify whether the status of the interface should be monitored. For more information about configuring failover in general, see Understanding Failover.
Fields

InterfaceLists the interfaces on the security appliance and identifies their active IP address, standby IP address, and monitoring status.
Interface Name columnIdentifies the interface name. Active IP columnIdentifies the active IP address for this interface. Standby IP columnIdentifies the IP address of the corresponding interface on the standby

failover unit.
Is Monitored columnSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration (Routed Firewall Mode) dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

12-17

Chapter 12 Field Information for the Failover Panes

Failover

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration (Routed Firewall Mode)


Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Active IP AddressIdentifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface. Subnet MaskIdentifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface. Standby IP AddressSpecifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide

12-18

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Failover: Interfaces (Transparent Firewall Mode)


Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the security appliance should be monitored.
Fields

InterfaceLists the interfaces on the security appliance and identifies their monitoring status.
Interface Name columnIdentifies the interface name. Is Monitored columnSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration (Transparent Firewall Mode) dialog box for the selected interface. Management IP AddressIdentifies the active and standby management IP addresses for the security appliance or for a context in transparent firewall mode.
ActiveIdentifies the active management IP address. StandbySpecifies the management IP address on the standby failover unit.

Management NetmaskIdentifies the mask associated with the active and standby management IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration (Transparent Firewall Mode)


Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down.

Cisco ASDM User Guide OL-10106-04

12-19

Chapter 12 Field Information for the Failover Panes

Failover

No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Failover: Criteria
Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.
Fields

Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

Failover Poll TimesContains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit FailoverThe amount of time between hello messages among units. The range is between

1 and 15 seconds or between 200 and 999 milliseconds.


Unit Hold TimeSets the time during which a unit must receive a hello message on the failover

link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored InterfacesThe amount of time between polls among interfaces. The range is

between 1and 15 seconds or 500 to 999 milliseconds.


Interface Hold TimeSets the time during which a data interface must receive a hello message

on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.

Cisco ASDM User Guide

12-20

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover: MAC Addresses


The MAC Addresses tab lets you configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair.

Note

This tab is not available on the ASA 5505 platform. In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic. You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses, then the failover pair uses the burned-in NIC address as the MAC address.

Note

You cannot configure a virtual MAC address for the failover or state links. The MAC and IP addresses for those links do not change during failover.
Fields

MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical Interface columnIdentifies the physical interface for which failover virtual MAC

addresses are configured.


Active MAC Address columnIdentifies the MAC address of the active security appliance

(usually primary).
Standby MAC Address columnIdentifies the MAC address of the standby security appliance

(usually secondary).

AddDisplays the Add Interface MAC Address dialog box. You cannot assign virtual MAC addresses to the LAN failover and Stateful Failover interfaces. See Add/Edit Interface MAC Address for more information. EditDisplays the Edit Interface MAC Address dialog box for the selected interface. See Add/Edit Interface MAC Address for more information.

Cisco ASDM User Guide OL-10106-04

12-21

Chapter 12 Field Information for the Failover Panes

Failover

DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Interface MAC Address


Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for an interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.
Active InterfaceSpecifies the MAC address of the interface on the active security appliance

(usually primary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Standby InterfaceSpecifies the MAC address of the interface on the standby security

appliance (usually secondary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide

12-22

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Failover-Multiple Mode, Security Context


The fields displayed on the Failover pane in multiple context mode change depending upon whether the context is in transparent or routed firewall mode. This section contains the following topics:

Failover - Routed Failover - Transparent

Failover - Routed
Use this pane to define the standby IP address for each interface in the security context and to specify whether the status of the interface should be monitored.
Fields

Interface tableLists the interfaces on the security appliance and identifies their active IP address, standby IP address, and monitoring status.
Interface Name columnIdentifies the interface name. Active IP columnIdentifies the active IP address for this interface. Standby IP columnIdentifies the IP address of the corresponding interface on the standby

failover unit.
Is Monitored columnSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration


Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Active IP AddressIdentifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Cisco ASDM User Guide OL-10106-04

12-23

Chapter 12 Field Information for the Failover Panes

Failover

Subnet MaskIdentifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface. Standby IP AddressSpecifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Failover - Transparent
Use this pane to define the standby IP address for the management interface for the security context and to specify whether the status of the interfaces on the security context should be monitored.
Fields

InterfaceLists the interfaces for the security context and identifies their monitoring status.
Interface NameIdentifies the interface name. Is MonitoredSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration dialog box for the selected interface. Management IP AddressIdentifies the active and standby management IP addresses for the security context.
ActiveIdentifies the management IP address for the active failover unit. StandbySpecifies the management IP address for the standby failover unit.

Management NetmaskIdentifies the mask associated with the management address.

Cisco ASDM User Guide

12-24

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration


Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide OL-10106-04

12-25

Chapter 12 Field Information for the Failover Panes

Failover

Failover-Multiple Mode, System


This pane includes tabs for configuring the system-level failover settings in the system context of a security appliance in multiple context mode. In multiple mode, you can configure Active/Standby or Active/Active failover. Active/Active failover is automatically enabled when you create failover groups in the device manager. For both types of failover, you need to provide system-level failover settings in the system context, and context-level failover settings in the individual security contexts. For more information about configuring failover in general, see Understanding Failover. Seethe following topics for more information:

Failover > Setup Tab Failover > Criteria Tab Failover > Active/Active Tab Failover > MAC Addresses Tab

Failover > Setup Tab


Use this tab to enable failover on a security appliance in multiple context mode. You also designate the failover link and the state link, if using Stateful Failover, on this tab.
Fields

Enable FailoverChecking this check box enables failover and lets you configure a standby security appliance.

Note

The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces pane before enabling failover. Use 32 hexadecimal character keyCheck this check box to enter a hexadecimal value for the encryption key in the Shared Key field. Uncheck this check box to enter an alphanumeric shared secret in the Shared Key field. Shared KeySpecifies the failover shared secret or key for encrypted and authenticated communications between failover pairs. If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

Enable LAN rather than serial cable failover(PIX security appliance platform only) Check this check box to enable LAN failover. Uncheck this check box to use the dedicated serial link as the failover link. LAN FailoverContains the fields for configuring LAN Failover.
InterfaceSpecifies the interface used for failover communication. Failover requires a

dedicated interface, however, you can use the same interface for Stateful Failover.

Cisco ASDM User Guide

12-26

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Only unconfigured interfaces or subinterfaces that have not been assigned to a context are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane or assign that interface to a context.
Active IPSpecifies the IP address for the failover interface on the active unit. Subnet MaskSpecifies the mask for the failover interface on the active unit. Logical NameSpecifies the logical name for the failover interface. Standby IPSpecifies the IP address of the standby unit. Preferred RoleSpecifies whether the preferred role for this security appliance is as the

primary or secondary unit in a LAN failover.

State FailoverContains the fields for configuring Stateful Failover.


InterfaceSpecifies the interface used for failover communication. You can choose an

unconfigured interface or subinterface or the LAN Failover interface. If you choose the LAN Failover interface, the interface needs enough capacity to handle both the LAN Failover and Stateful Failover traffic. Also, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used.

Note

We recommend that you use two separate, dedicated interfaces for the LAN Failover interface and the Stateful Failover interface.

Active IPSpecifies the IP address for the Stateful Failover interface on the active unit. Subnet MaskSpecifies the mask for the Stateful Failover interface on the active unit. Logical NameSpecifies the logical name for the Stateful Failover interface. Standby IPSpecifies the IP address of the standby unit. Enable HTTP replicationChecking this check box enables Stateful Failover to copy active

HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide OL-10106-04

12-27

Chapter 12 Field Information for the Failover Panes

Failover

Failover > Criteria Tab


Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

Note

If you are configuring Active/Active failover, you do not use this tab to define the interface policy; instead, you define the interface policy for each failover group using the Failover > Active/Active Tab. With Active/Active failover, the interface policy settings defined for each failover group override the settings on this tab. If you disable Active/Active failover, then the settings on this tab are used.
Fields

Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

Failover Poll TimesContains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit FailoverThe amount of time between hello messages among units. The range is between

1 and 15 seconds or between 200 and 999 milliseconds.


Unit Hold TimeSets the time during which a unit must receive a hello message on the failover

link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored InterfacesThe amount of time between polls among interfaces. The range is

between 1and 15 seconds or 500 to 999 milliseconds.


Interface Hold TimeSets the time during which a data interface must receive a hello message

on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide

12-28

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Failover > Active/Active Tab


Use this tab to enable Active/Active failover on the security appliance by defining failover groups. In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple mode. A failover group is simply a logical group of security contexts. You can create two failover groups on the security appliance. You must create the failover groups on the active unit in the failover pair. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Note

When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.
Fields

Failover GroupsLists the failover groups currently defined on the security appliance.
Group NumberSpecifies the failover group number. This number is used when assigning

contexts to failover groups.


Preferred RoleSpecifies the unit in the failover pair, primary or secondary, on which the

failover group appears in the active state when both units start up simultaneously or when the preempt option is specified. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.
Preempt EnabledSpecifies whether the unit that is the preferred failover device for this

failover group should become the active unit after rebooting.


Preempt DelaySpecifies the number of seconds that the preferred failover device should wait

after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.
Interface PolicySpecifies either the number of monitored interface failures or the percentage

of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.
Interface Poll TimeSpecifies the amount of time between polls among interfaces. The range

is between 1 and 15 seconds.


Replicate HTTPIdentifies whether Stateful Failover should copy active HTTP sessions to the

standby firewall for this failover group. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

AddDisplays the Add Failover Group dialog box. This button is only enabled if less than 2 failover groups exist. See Add/Edit Failover Group for more information. EditDisplays the Edit Failover Group dialog box for the selected failover group. See Add/Edit Failover Group for more information. DeleteRemoves the currently selected failover group from the failover groups table. This button is only enabled if the last failover group in the list is selected.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

12-29

Chapter 12 Field Information for the Failover Panes

Failover

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Failover Group


Use the Add/Edit Failover Group dialog box to define failover groups for an Active/Active failover configuration.
Fields

Preferred RoleSpecifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices. Preempt after booting with optional delay ofChecking this check box causes the unit that is the preferred failover device for a failover group to become the active unit after rebooting. Checking this check box also enables the Preempt after booting with optional delay of field in which you can specify a period of time that the device should wait before becoming the active unit. Preempt after booting with optional delay ofSpecifies the number of seconds that a unit should wait after rebooting before taking over as the active unit for any failover groups for which it is the preferred failover device. The range is between 0 and 1200 seconds. Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure. These settings override any interface policy settings on the Criteria tab.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

Poll time interval for monitored interfacesThe amount of time between polls among interfaces. The range is between 1 and 15 seconds. Enable HTTP replicationChecking this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab. MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical InterfaceDisplays the physical interface for which failover virtual MAC addresses

are configured.

Cisco ASDM User Guide

12-30

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Active MAC AddressDisplays the MAC address for the interface and failover group on the

unit where the failover group is active.


Standby MAC AddressDisplays the MAC address for the interface and failover group on the

unit where the failover group is in the standby state.

AddDisplays the Add Interface MAC Address dialog box. You cannot assign virtual MAC addresses to the LAN failover and Stateful Failover interfaces. See Add/Edit Interface MAC Address for more information. EditDisplays the Edit Interface MAC Address dialog box for the selected interface. See Add/Edit Interface MAC Address for more information. DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Interface MAC Address


Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for the interfaces in a failover group. If you do not specify a virtual MAC address for an interface, the interface is given a default virtual MAC address as follows:

Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. Standby unit default MAC address: 00a0.c9:physical_port_number.failover_group_id02.

Note

If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address. These MAC addresses override the physical MAC addresses for the interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.

Cisco ASDM User Guide OL-10106-04

12-31

Chapter 12 Field Information for the Failover Panes

Failover

Active InterfaceSpecifies the MAC address for the interface and failover group on the unit

where the failover group is active. Each interface may have up to two MAC addresses, one for each failover group, which override the physical MAC address. Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Standby InterfaceSpecifies the MAC address for the interface and failover group on the unit

where the failover group is in the standby state. Each interface may have up to two MAC addresses, one for each failover group, which override the physical MAC address. Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover > MAC Addresses Tab


The MAC Addresses tab lets you configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair. In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic. You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses, then the failover pair uses the burned-in NIC address as the MAC address.

Note

You cannot configure a virtual MAC address for the failover or state links. The MAC and IP addresses for those links do not change during failover. In Active/Active failover, the MAC addresses configured on this tab are not in effect. Instead, the MAC addresses defined in the failover groups are used.
Fields

MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical InterfaceIdentifies the physical interface for which failover virtual MAC addresses

are configured.
Active MAC AddressIdentifies the MAC address on the active security appliance (usually

primary).

Cisco ASDM User Guide

12-32

OL-10106-04

Chapter 12

Failover Field Information for the Failover Panes

Standby MAC AddressIdentifies the MAC address on the standby security appliance (usually

secondary).

AddDisplays the Add/Edit Interface MAC Address dialog box. EditDisplays the Add/Edit Interface MAC Address dialog box for the selected interface. DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Interface MAC Address


Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for an interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.
Active InterfaceSpecifies the MAC address of the interface on the active security appliance

(usually primary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Standby InterfaceSpecifies the MAC address of the interface on the standby security

appliance (usually secondary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Cisco ASDM User Guide OL-10106-04

12-33

Chapter 12 Field Information for the Failover Panes

Failover

For More Information

For more information about failover in general, see Understanding Failover.

Cisco ASDM User Guide

12-34

OL-10106-04

CH A P T E R

13

Configuring Logging
The Logging feature lets you enable logging and specify how log information is handled. The Log viewing feature lets you view system log messages in real-time. For a description of the Log viewing feature, see Chapter 36, Monitoring System Log Messages..

About Logging
The security appliance supports the generation of an audit trail of system log messages that describe its activities (for example, what kinds of network traffic has been allowed and denied) and enables you to configure system logging. All system log messages have a default severity level. You can reassign a message to a new severity level, if necessary. When you choose a severity level, logging messages from that level and lower levels are generated. Messages from a higher level are not included. The higher the severity level, the more messages are included. For more information about logging and system log messages, see Cisco ASA 5500 Series System Log Messages.

Security Contexts in Logging


Each security context includes its own logging configuration and generates its own messages. If you log in to the system or admin context, and then change to another context, messages you view in your session are only those that are related to the current context. System log messages that are generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space. You can configure the security appliance to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID. To use the device ID, see Advanced Syslog Configuration, page 13-6.

Using Logging
After you have enabled logging, you can do the following:

Cisco ASDM User Guide OL-10106-04

13-1

Chapter 13 Logging Setup

Configuring Logging

Step 1 Step 2

In the Logging Setup pane, configure the logging parameters. For more information, see Logging Setup, page 13-2. In the Syslog Setup pane, set the facility code to be included in system log messages that are sent to syslog servers, specify that a timestamp is included in each message, view the severity levels for messages, modify the severity level for messages, and suppress messages. For more information, see Syslog Setup, page 13-4. In the E-Mail Setup pane, specify system log messages to be sent by e-mail for notification purposes. For more information, see Syslog Setup, page 13-4. In the Event Lists pane, create custom lists of events that specify which messages should be logged; these lists are then used when you set up log filters. For more information, see Event Lists, page 13-8. In the Logging Filters pane, specify the criteria that should be used to filter the messages sent to each log destination. The criteria you use for creating filters are severity level, message class, message ID, or events lists. For more information, see Logging Filters, page 13-11. In the Rate Limit pane, limit the number of messages that can be generated in a specified time interval. For more information, see Rate Limit, page 13-15. In the Syslog Server pane, specify one or more syslog servers to which the security appliance sends system log messages. For more information, see Syslog Servers, page 13-18.

Step 3 Step 4 Step 5

Step 6 Step 7

Logging Setup
The Logging Setup pane lets you enable system logging on the security appliance and lets you specify general logging parameters, including whether standby units can take over logging, whether to send debug messages, and whether to use the EMBLEM format. It also lets you change default settings for the internal log buffer and the security appliance logging queue.
Fields

Enable loggingTurns on logging for the main security appliance. Enable logging on the failover standby unitTurns on logging for the standby security appliance, if available. Send debug messages as syslogsRedirects all debug trace output to system logs. The system log message does not appear in the console if this option is enabled. Therefore, to view debug messages, you must have logging enabled at the console and have it configured as the destination for the debug system log message number and severity level. The system log message number used is 711001. The default severity level for this system log message is debug. Send syslogs in EMBLEM formatEnables EMBLEM format so that it is used for all log destinations except syslog servers. Buffer SizeSpecifies the size of the internal log buffer to which system log messages are saved if the logging buffer is enabled. When the buffer fills up, it will be overwritten unless you choose to enable saving of the logs to an FTP server or to internal Flash memory. The default buffer size is 4096 bytes. The range is 4096 to 1048576. Save Buffer To FTP ServerTo save the buffer contents to the FTP server before it is overwritten, check this . To remove the FTP configuration, uncheck this box. Configure FTP SettingsIdentifies the FTP server and configures the FTP parameters used to save the buffer content.

Cisco ASDM User Guide

13-2

OL-10106-04

Chapter 13

Configuring Logging Logging Setup

Save Buffer To FlashTo save the buffer contents to internal Flash memory before it is overwritten, check this .

Note

This option is only available in routed or transparent single mode. Configure Flash UsageSpecifies the maximum space to be used in internal Flash memory for logging and the minimum free space to be preserved (in KB). Enabling this option creates a directory called syslog on the device disk in which messages are stored.

Note

This option is only available in routed or transparent single mode. security appliance Logging Queue SizeSpecifies the queue size for system logs that are to be viewed in security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information


See Configure FTP Settings, page 13-3. See Configure Logging Flash Usage, page 13-4.

Configure FTP Settings


The Configure FTP Settings dialog box lets you specify the configuration for the FTP server that is used to save the buffer contents.
Fields

Enable FTP clientEnables the configuration of the FTP client. Server IP AddressIP address of the FTP server. PathDirectory path on the FTP server to store the saved file. UsernameUsername to log in to the FTP server. PasswordPassword associated with the username to log in to the FTP server. Confirm PasswordConfirms the password.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

13-3

Chapter 13 Syslog Setup

Configuring Logging

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configure Logging Flash Usage


The Configure Logging Flash Usage dialog box lets you specify the limits for saving buffer contents to internal Flash memory.
Fields

Maximum Flash to Be Used by LoggingSpecifies the maximum amount of internal Flash memory that can be used for logging (in KB). Minimum Free Space to Be PreservedSpecifies the amount of internal Flash memory that is preserved (in KB). When the internal Flash memory approaches that limit, new logs are not saved.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Syslog Setup
The Syslog Setup pane lets you set the facility code to include in messages destined for syslog servers and determine whether system log messages should include the timestamp. It also lets you change message severity levels and suppress messages you do not want to be logged.
Fields

Facility code to include in syslogsSpecifies a system log facility for syslog servers to use as a basis to file messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share the eight available facilities, you might need to change this value for system logs. Include timestamp in syslogsIncludes date and time in every system log message sent. Syslog ID SetupSelects the information to be displayed in the Syslog ID Table. Options are defined as follows:
Show all syslog IDsSpecifies that the syslog ID table should display the entire list of system

log message IDs.


Show suppressed syslog IDsSpecifies that the syslog ID table should display only those

system log message IDs that have been explicitly suppressed.

Cisco ASDM User Guide

13-4

OL-10106-04

Chapter 13

Configuring Logging Syslog Setup

Show syslog IDs with changed loggingSpecifies that the syslog ID table should display only

those system log message IDs with severity levels that have changed from their default values.
Show syslog IDs that are suppressed or with a changed logging levelSpecifies that the syslog

ID table should display only those system log message IDs with severity levels that have been modified and the IDs of system log messages that have been explicitly suppressed.

Syslog ID TableDisplay only. Shows the list of system log messages based on the setting in the Syslog ID Table View. Select individual messages or ranges of message IDs that you want to modify. You can either suppress the selected message IDs or modify their severity levels. To select more than one message ID in the list, click the first ID in the range and Shift-click the last ID in the range. AdvancedLets you configure system log messages to include a device ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information


See Edit Syslog ID Settings, page 13-5. See Advanced Syslog Configuration, page 13-6.

Edit Syslog ID Settings


The Edit Syslog ID Settings dialog box lets you modify the severity level of the selected system log messages or specify that the selected system log messages should be suppressed.
Fields

Syslog ID(s)This text area is read-only. The values displayed in this area are determined by the entries selected in the Syslog ID Table located in the Syslog Setup pane. Suppress Message(s)Check this to suppress messages for the system log message ID(s) displayed in the Syslog ID(s) list. Logging LevelChoose the severity level of messages to be sent for the system log message ID(s) displayed in the Syslog ID(s) list. Levels are defined as follows:
Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Cisco ASDM User Guide OL-10106-04

13-5

Chapter 13 E-Mail Setup

Configuring Logging

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced Syslog Configuration


You can configure the security appliance to include a device ID in non-EMBLEM-format system log messages. You can specify only one type of device ID for the system log messages. The device ID can be the hostname of the FWSM, an interface IP address, the context, or a text string. The Advanced Syslog Configuration dialog box lets you determine whether system log messages should include a device ID. If this feature is enabled, the device ID is included in all non-EMBLEM formatted system log messages.
Fields

Enable Syslog Device IDSpecifies that a device ID should be included in all non-EMBLEM formatted system log messages. HostnameSpecifies that the hostname is used as the device ID. IP AddressSpecifies the IP address of the interface that is used as the device ID.
Interface NameSpecifies the interface name corresponding to the specified IP address.

StringSpecifies that a user-defined string is used as the device ID.


User-defined IDSpecifies an alphanumeric user-defined string.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

E-Mail Setup
The E-Mail Setup pane lets you set up a source e-mail address as well as a list of recipients for specified system log messages to be sent as e-mail messages for notification purposes. You can filter the system log messages sent to a destination e-mail address by severity level. The table shows which entries have been set up.

Cisco ASDM User Guide

13-6

OL-10106-04

Chapter 13

Configuring Logging E-Mail Setup

The system log message severity level used to filter messages for a destination e-mail address is the higher of the severity level selected in this section compared to the global filter set for all e-mail recipients in the Logging Filters pane. The system log message severity filter used for the destination e-mail address causes messages of the specified severity level and higher to be sent. The global filter specified in the Logging Filters pane is also applied to each e-mail recipient.
Fields

Source E-Mail addressSpecifies the e-mail address that is used as the source address for system log messages sent as e-mail messages. Destination E-Mail AddressSpecifies the e-mail address of the recipient of the specified system log messages. Syslog SeveritySpecifies the severity level of the system log messages that should be sent to this recipient. Messages with the specified severity level and higher are sent.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information


See Add/Edit E-Mail Recipients, page 13-7. See Logging Filters, page 13-11.

Add/Edit E-Mail Recipients


The Add/Edit E-Mail Recipient dialog box lets you set up a destination e-mail address for a particular severity of system log messages to be sent as e-mail messages. The severity level used to filter messages for the destination e-mail address is the higher of the severity level selected in this section compared to the global filter set for all e-mail recipients in the Logging Filters pane.
Fields

Destination E-Mail AddressSpecifies the e-mail address of the recipient of selected system log messages. Syslog SeveritySpecifies the severity level of the system log messages sent to this recipient.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide OL-10106-04

13-7

Chapter 13 Event Lists

Configuring Logging

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Event Lists
The Event Lists pane lets you create custom lists of events that are used to select which system log messages are sent to a particular destination. After you enable logging and configure the logging parameters using the Logging Setup pane, create one or more lists of events on the Event Lists pane. Use these lists on the Logging Filters pane to specify a logging destination for each list of events. You can use three criteria to define an event list:

Message Class Severity Message ID.

A message class is a group of system log messages related to a security appliance feature that enables you to specify an entire class of messages rather than specifying each message individually. For example, use the auth class to select all system log messages that are related to user authentication. Severity classifies system log messages based on the relative importance of the event in the normal functioning of the network. The highest severity is emergency, which means the resource is no longer available. The lowest severity is debugging, which provides detailed information about every network event. The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of system log messages, such as 101001-101010.
Fields

NameLists the name of the event list. Event Class/SeverityLists the event class and the level of logging messages. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing

Cisco ASDM User Guide

13-8

OL-10106-04

Chapter 13

Configuring Logging Event Lists

ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem

Severity levels include the following:


Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Message IDsLists a system log message ID or range of IDs (for example, 101001-101010) to include in the filter.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information


See Add/Edit Event List, page 13-9. See Add/Edit Syslog Message ID Filter, page 13-11. See Logging Filters, page 13-11.

Add/Edit Event List


The Add/Edit Event List dialog box lets you create or edit an event list that you can use to specify which messages should be sent to a log destination. You can create event lists that filter messages according to message class and severity, or by message ID. A message class is a group of system log messages related to a security appliance feature. When creating an event list, you can specify an entire class of messages rather than specifying each message individually. For example, use the auth class to select all system log messages that are related to user authentication.

Cisco ASDM User Guide OL-10106-04

13-9

Chapter 13 Event Lists

Configuring Logging

Severity defines system log messages based on the relative importance of the event in the normal functioning of the network. The highest severity is emergency, which means the resource is no longer available. The lowest severity is debugging, which provides detailed information about every network event. The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of system log messages, such as 101001-101010.
Fields

NameEnter the name of the event list. Event ClassLists the event class. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover ipsIntrusion Protection Service ipIP Stack npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem

SeverityLists the level of logging messages. Severity levels include the following:
Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Message IDs FiltersLists a system log message ID or range of system log message IDs, such as 101001-101010, to include in the filter.

Modes

The following table shows the modes in which this feature is available:

Cisco ASDM User Guide

13-10

OL-10106-04

Chapter 13

Configuring Logging Logging Filters

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Syslog Message ID Filter


The Add/Edit Syslog Message ID Filter dialog box lets you specify one or more system log message IDs to be included in the event list.
Fields

Message IDsSpecify a system log message ID or range of IDs to be logged. Use a hyphen to specify a range (for example, 101001-101010).

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Logging Filters
The Logging Filters pane lets you apply message filters to a log destination. Filters applied to a log destination select the messages that are sent to that destination. You can filter messages according to message class and severity level, or use an event list that you can create on the Event Lists pane.
Fields

Logging DestinationLists the name of the logging destination to which you can apply a filter. Logging destinations are as follows:
Console Security appliance Syslog Servers SNMP Trap E-Mail Internal Buffer Telnet Sessions

Cisco ASDM User Guide OL-10106-04

13-11

Chapter 13 Logging Filters

Configuring Logging

Syslogs From All Event ClassesLists the severity or the event list to use to filter messages for the log destination, or whether logging is disabled for all event classes. Syslogs From Specific Event ClassesLists the event class to use to filter messages for that log destination.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information


See Edit Logging Filters, page 13-12. See Add/Edit Syslog Message ID Filter, page 13-11. See Add/Edit Class and Severity Filter, page 13-13. See Event Lists, page 13-8.

Edit Logging Filters


The Edit Logging Filters dialog box lets you apply filters to each log destination, edit filters already applied to a log destination, or disable filters for the log destination. You can filter messages according to message class and severity level, or use an event list that you can create on the Event Lists pane.
Fields

Logging DestinationSpecifies the logging destination for this filter. Filter on severityFilters system log messages according to their severity level.
Filter on severitySpecifies the level of system log messages on which to filter.

Use event listSpecifies that an event list will be used for this filter.
Use eventSpecifies the event list to use.

NewLets you add a new event list. Disable logging from all event classesDisables all logging to the selected destination. Event ClassSpecifies the event class. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover

Cisco ASDM User Guide

13-12

OL-10106-04

Chapter 13

Configuring Logging Logging Filters

idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem

SeveritySpecifies the level of logging messages. Severity levels include:


Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Class and Severity Filter


The Add/Edit Class and Severity Filter dialog box lets you specify a message class and severity level to be used to filter messages. A message class is a group of system log messages related to a security appliance feature. When creating an event list, you can specify an entire class of messages rather than specifying each message individually. For example, use the auth class to select all of the system log messages that are related to user authentication. Severity defines system logs based on the relative importance of the event in the normal functioning of the network. The highest severity is emergency, which means the resource is no longer available. The lowest severity is debugging, which provides detailed information about every network event.
Fields

Event ClassSpecifies the event class. Event classes include:

Cisco ASDM User Guide OL-10106-04

13-13

Chapter 13 Logging Filters

Configuring Logging

AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem

SeveritySpecifies the level of logging messages. Severity levels include:


Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Syslog Message ID Filter


The Add/Edit Syslog Message ID Filter dialog box lets you specify individual system log message IDs or ranges of IDs to include in the event list filter.

Cisco ASDM User Guide

13-14

OL-10106-04

Chapter 13

Configuring Logging Rate Limit

Fields

Message IDsSpecifies the system log message ID or range of IDs. Use a hyphen to specify a range (for example, 101001-101010).

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rate Limit
The Rate Limit pane lets you specify the number of system log messages that the firewall can send. You must also enable logging using the Logging Setup pane. You can specify a rate limit for message logging levels or be more specific and limit the rate of a specific message. The rate level is applied to the severity level or to the message ID, not to a destination. Therefore, rate limits affect the volume of messages being sent to all configured destinations.
Fields

Rate limits for syslog logging levels

Logging LevelLists the message severity level. Levels are defined as follows:
Disabled (no logging) Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notific